Patch transitive fast-xml-parser to 5.3.5 for CVE-2026-25896 (GHSA-m7jm-9gc2-mpf2)

[Copilot]

fast-xml-parser < 5.3.5 allows entity-encoding bypass via regex injection in DOCTYPE entity names, enabling shadowing of built-in entities and downstream injection risk. This repository resolved fast-xml-parser@5.2.5 transitively via AWS SDK internals, which leaves the vulnerable path present in shipped dependencies.

• Dependency remediation

  • Added a pnpm scoped override to force the transitive edge @aws-sdk/xml-builder > fast-xml-parser to the minimum patched version 5.3.5.
  • Updated pnpm-lock.yaml accordingly so AWS SDK XML builder no longer resolves fast-xml-parser@5.2.5.

• Reachability assessment

  • The affected API (XMLParser entity processing) is used in repo code:
    • src/utils/xml.ts constructs new XMLParser(...).
    • src/core/tools/askFollowupQuestionTool.ts calls parseXml(...) on follow-up XML payloads.
  • Because parser usage exists in runtime paths, this is treated as reachable.
  • Confidence: High (direct import/callsite traceable to the affected parser API).

• What changed (snippet)

{
  "pnpm": {
    "overrides": {
      "@aws-sdk/xml-builder>fast-xml-parser": "5.3.5"
    }
  }
}

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names</alert_title>
<alert_description># Entity encoding bypass via regex injection in DOCTYPE entity names

Summary

A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Details

The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec.

In DocTypeReader.js, entity names are passed directly to RegExp():

entities[entityName] = {
    regx: RegExp(`&${entityName};`, "g"),
    val: val
};

An entity named l. produces the regex /&l.;/g where . matches any character, including the t in <. Since DOCTYPE entities are replaced before built-in entities, this shadows < entirely.

The same issue exists in OrderedObjParser.js:81 (addExternalEntities), and in the v6 codebase - EntitiesParser.js has a validateEntityName function with a character blacklist, but . is not included:

// v6 EntitiesParser.js line 96
const specialChar = "!?\\/[]$%{}^&*()<>|+";  // no dot

Shadowing all 5 built-in entities

Entity name	Regex created	Shadows
l.	/&l.;/g	<
g.	/&g.;/g	>
am.	/&am.;/g	&
quo.	/&quo.;/g	"
apo.	/&apo.;/g	'

PoC

const { XMLParser } = require("fast-xml-parser");

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY l. "<img src=x onerror=alert(1)>">
]>
<root>
  <text>Hello &lt;b&gt;World&lt;/b&gt;</text>
</root>`;

const result = new XMLParser().parse(xml);
console.log(result.root.text);
// Hello <img src=x onerror=alert(1)>b>World<img src=x onerror=alert(1)>/b>

No special parser options needed - processEntities: true is the default.

When an app renders result.root.text in a page (e.g. innerHTML, template interpolation, SSR), the injected <img onerror> fires.

& can be shadowed too:

const xml2 = `<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY am. "'; DROP TABLE users;--">
]>
<root>SELECT * FROM t WHERE name='O&amp;Brien'</root>`;

const r = new XMLParser().parse(xml2);
console.log(r.root);
// SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'

Impact

This is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.

• Default config, no special options
• Attacker can replace any < / > / & / " / ' with arbitrary strings
• Direct XSS vector when parsed XML content is rendered in a page
• v5 and v6 both affected

Suggested fix

Escape regex metacharacters before constructing the replacement regex:

const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
entities[entityName] = {
    regx: RegExp(`&${escaped};`, "g"),
    val: val
};

For v6, add . to the blacklist in validateEntityName:

const specialChar = "!?\\/[].{}^&*()<>|+";

Severity

CWE-185 (Incorrect Regular Expression)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)

Entity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.</alert_description>

critical
GHSA-m7jm-9gc2-mpf2, CVE-2026-25896
fast-xml-parser
npm
<vulnerable_versions>5.2.5</vulnerable_versions>
<patched_version>5.3.5</patched_version>
<manifest_path>pnpm-lock.yaml</manifest_path>

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2 https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69 https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5 https://nvd.nist.gov/vuln/detail/CVE-2026-25896 https://github.com/advisories/GHSA-m7jm-9gc2-mpf2

<agent_instructions>Please resolve this any way you can</agent_instructions>

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then se...

• Resolves SolaceHarmony/Thea-Code alert [WIP] Fix lint errors in src/api/transform/__tests__/openrouter.test.ts (1 error) #184