fast-xml-parser XML Injection Vulnerability in XMLBuilder Allowing XSS and Data Manipulation

A vulnerability in fast-xml-parser versions through 5.5.12 allows XML injection via unescaped comment and CDATA delimiters in the XMLBuilder component. This issue can lead to cross-site scripting (XSS) attacks, particularly in SVG or HTML contexts, as well as manipulation of SOAP messages or RSS feed content. The vulnerability arises when user-controlled data is processed into XML comments or CDATA sections, allowing for the injection of scripts or alteration of XML structure.

Impact

Exploitation of this vulnerability allows for injection of scripts into XML, SVG, or HTML documents, modification of SOAP message structures, poisoning of RSS or Atom feeds, and general manipulation of XML documents by disrupting comment or CDATA contexts.

Reproduction

The vulnerability can be reproduced by using fast-xml-parser's XMLBuilder to create XML that includes user-controlled data in comments or CDATA sections. This can be done by specifying a comment or CDATA property in the data object passed to the XMLBuilder, such as in an RSS feed or SOAP message.

Remediation

Users are advised to update fast-xml-parser to version 5.7.0 or later, where this vulnerability has been patched.