Vulnerable Library - credential-provider-node-3.972.29.tgz
Path to dependency file: /aws/cdk/package.json
Path to vulnerable library: /aws/cli-installer/package.json,/aws/cdk/package.json
Found in HEAD commit: ec994c1a9bf5ae33c1721ef3568d20d917573751
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (credential-provider-node version) |
Remediation Possible** |
| CVE-2026-41650 |
 Medium |
6.1 |
fast-xml-parser-5.5.8.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41650
Vulnerable Library - fast-xml-parser-5.5.8.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.8.tgz
Path to dependency file: /aws/cli-installer/package.json
Path to vulnerable library: /aws/cli-installer/package.json,/aws/cdk/package.json
Dependency Hierarchy:
- credential-provider-node-3.972.29.tgz (Root Library)
- credential-provider-env-3.972.24.tgz
- core-3.973.26.tgz
- xml-builder-3.972.16.tgz
- ❌ fast-xml-parser-5.5.8.tgz (Vulnerable Library)
Found in HEAD commit: ec994c1a9bf5ae33c1721ef3568d20d917573751
Found in base branch: main
Vulnerability Details
fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. Existing CVEs for fast-xml-parser cover different issues: - CVE-2023-26920: Prototype pollution (parser) - CVE-2023-34104: ReDoS (parser) - CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder - CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability. Vulnerable Code File: "src/fxb.js" // Line 442 - Comment building with NO escaping of --> buildTextValNode(val, key, attrStr, level) { // ... if (key === this.options.commentPropName) { return this.indentate(level) + "" + this.newLine; // VULNERABLE } // ... if (key === this.options.cdataPropName) { return this.indentate(level) + "" + this.newLine; // VULNERABLE } } Compare with attribute/text escaping which IS properly handled via "replaceEntitiesValue()". Proof of Concept Test 1: Comment Injection (XSS in SVG/HTML context) import { XMLBuilder } from 'fast-xml-parser'; const builder = new XMLBuilder({ commentPropName: "#comment", format: true, suppressEmptyNode: true }); const xml = { root: { "#comment": "--><script>alert('XSS')</script>legitimate content Test 2: CDATA Injection (RSS feed) const builder = new XMLBuilder({ cdataPropName: "#cdata", format: true, suppressEmptyNode: true }); const rss = { rss: { channel: { item: { title: "Article", description: { "#cdata": "Content]]> Article Test 3: SOAP Message Injection const builder = new XMLBuilder({ commentPropName: "#comment", format: true }); const soap = { "soap:Envelope": { "soap:Body": { "#comment": "Request from user: -->"soap:Body" (soap:Body)deleteAll</soap:Body>soap:BodydeleteAll</soap:Body>getBalance 12345 </soap:Body> </soap:Envelope> The injected "deleteAll" appears as a real SOAP action element. Tested Output All tests run on Node.js v22, fast-xml-parser v5.5.12: 1. COMMENT INJECTION: Injection successful: true 2. CDATA INJECTION (RSS feed scenario): Injection successful: true 3. Round-trip test: Injection present: true 4. SOAP MESSAGE INJECTION: Contains injected Action: true Impact An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can: 5. XSS: Inject "<script>" tags into XML/SVG/HTML documents served to browsers 6. SOAP injection: Modify SOAP message structure by injecting XML elements 7. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout 8. XML document manipulation: Break XML structure by escaping comment/CDATA context This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files). Suggested Fix Escape delimiters in comment and CDATA content: // For comments: replace -- with escaped equivalent if (key === this.options.commentPropName) { const safeVal = String(val).replace(/--/g, '--'); return this.indentate(level) + "" + this.newLine; } // For CDATA: split on ]]> and rejoin with separate CDATA sections if (key === this.options.cdataPropName) { const safeVal = String(val).replace(/]]>/g, ']]]]>'); return this.indentate(level) + `` + this.newLine; }
Publish Date: 2026-04-22
URL: CVE-2026-41650
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-22
Fix Resolution: https://github.com/rust-openssl/rust-openssl.git - v0.10.72,fast-xml-parser - 5.7.0
Path to dependency file: /aws/cdk/package.json
Path to vulnerable library: /aws/cli-installer/package.json,/aws/cdk/package.json
Found in HEAD commit: ec994c1a9bf5ae33c1721ef3568d20d917573751
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - fast-xml-parser-5.5.8.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.8.tgz
Path to dependency file: /aws/cli-installer/package.json
Path to vulnerable library: /aws/cli-installer/package.json,/aws/cdk/package.json
Dependency Hierarchy:
Found in HEAD commit: ec994c1a9bf5ae33c1721ef3568d20d917573751
Found in base branch: main
Vulnerability Details
fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. Existing CVEs for fast-xml-parser cover different issues: - CVE-2023-26920: Prototype pollution (parser) - CVE-2023-34104: ReDoS (parser) - CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder - CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability. Vulnerable Code File: "src/fxb.js" // Line 442 - Comment building with NO escaping of --> buildTextValNode(val, key, attrStr, level) { // ... if (key === this.options.commentPropName) { return this.indentate(level) + "" + this.newLine; // VULNERABLE } // ... if (key === this.options.cdataPropName) { return this.indentate(level) + "" + this.newLine; // VULNERABLE } } Compare with attribute/text escaping which IS properly handled via "replaceEntitiesValue()". Proof of Concept Test 1: Comment Injection (XSS in SVG/HTML context) import { XMLBuilder } from 'fast-xml-parser'; const builder = new XMLBuilder({ commentPropName: "#comment", format: true, suppressEmptyNode: true }); const xml = { root: { "#comment": "--><script>alert('XSS')</script>legitimate content Test 2: CDATA Injection (RSS feed) const builder = new XMLBuilder({ cdataPropName: "#cdata", format: true, suppressEmptyNode: true }); const rss = { rss: { channel: { item: { title: "Article", description: { "#cdata": "Content]]> Article Test 3: SOAP Message Injection const builder = new XMLBuilder({ commentPropName: "#comment", format: true }); const soap = { "soap:Envelope": { "soap:Body": { "#comment": "Request from user: -->"soap:Body" (soap:Body)deleteAll</soap:Body>soap:BodydeleteAll</soap:Body>getBalance 12345 </soap:Body> </soap:Envelope> The injected "deleteAll" appears as a real SOAP action element. Tested Output All tests run on Node.js v22, fast-xml-parser v5.5.12: 1. COMMENT INJECTION: Injection successful: true 2. CDATA INJECTION (RSS feed scenario): Injection successful: true 3. Round-trip test: Injection present: true 4. SOAP MESSAGE INJECTION: Contains injected Action: true Impact An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can: 5. XSS: Inject "<script>" tags into XML/SVG/HTML documents served to browsers 6. SOAP injection: Modify SOAP message structure by injecting XML elements 7. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout 8. XML document manipulation: Break XML structure by escaping comment/CDATA context This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files). Suggested Fix Escape delimiters in comment and CDATA content: // For comments: replace -- with escaped equivalent if (key === this.options.commentPropName) { const safeVal = String(val).replace(/--/g, '--'); return this.indentate(level) + "" + this.newLine; } // For CDATA: split on ]]> and rejoin with separate CDATA sections if (key === this.options.cdataPropName) { const safeVal = String(val).replace(/]]>/g, ']]]]>'); return this.indentate(level) + `` + this.newLine; }
Publish Date: 2026-04-22
URL: CVE-2026-41650
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-22
Fix Resolution: https://github.com/rust-openssl/rust-openssl.git - v0.10.72,fast-xml-parser - 5.7.0