Attack Chain

1. An attacker crafts malicious input data containing quoted attribute values intended for XML/HTML generation.
2. The attacker injects the crafted data into an application using fast-xml-builder.
3. The application utilizes fast-xml-builder to process the data and generate XML/HTML output, with the processEntities flag disabled.
4. Due to the vulnerability, fast-xml-builder incorrectly parses the attribute value, splitting it into multiple attributes.
5. The injected malicious attributes are incorporated into the resulting XML/HTML structure.
6. The application sends the malformed XML/HTML response to a user.
7. The user’s browser renders the page, executing the injected malicious code (e.g., JavaScript).
8. The attacker achieves cross-site scripting (XSS) or other injection-based attacks, leading to potential data theft or compromise of the user’s session.

Impact

Successful exploitation of this vulnerability allows attackers to inject arbitrary HTML attributes into XML documents. This can lead to cross-site scripting (XSS) attacks if the generated XML is used in a web application. Given the widespread use of fast-xml-builder in Node.js projects, a large number of applications could be vulnerable. The impact ranges from defacement and information theft to complete compromise of user accounts.

Recommendation

• Upgrade to a patched version of fast-xml-builder if one becomes available or use a different XML builder library.
• As a temporary workaround, ensure the processEntities flag is set to true when using fast-xml-builder, as mentioned in the advisory.
• Deploy the Sigma rule below to identify potential exploitation attempts by detecting suspicious attribute values being passed to the vulnerable library.