A vulnerability in fast-xml-parser allows attackers to bypass entity encoding and execute malicious scripts in the user's browser via a specially crafted XML payload.

The parser incorrectly treats a dot (.) in a DOCTYPE entity name as a regex wildcard during replacement. This allows an unauthenticated attacker to shadow standard entities (like <) with arbitrary values, bypassing security filters and leading to Cross-Site Scripting (XSS) when the output is rendered.

Successful exploitation can lead to the theft of session cookies, account hijacking, and the delivery of further client-side attacks. While XSS is often categorized as Medium, the CVSS score of 9.3 reflects the critical nature of this specific bypass within a widely used parsing library that handles sensitive data.

Immediate Action: Update the fast-xml-parser library to version 5.3.5 or later to resolve the regex wildcard replacement flaw.

Proactive Monitoring: Review application logs for XML payloads containing suspicious DOCTYPE declarations or attempts to redefine built-in XML entities.

Compensating Controls: Implement a Content Security Policy (CSP) to limit the impact of potential script injection and use a Web Application Firewall (WAF) to filter malicious XML input.

Public Exploit Available: No

Developers should immediately verify the version of fast-xml-parser used in their projects. Upgrading to version 5.3.5 is essential to prevent attackers from bypassing encoding mechanisms and executing unauthorized scripts on the client side.