Request to backport the fix for CVE-2026-41650 to 4.x release

[yuezk]

Hi,

Appreciate for fixing CVE-2026-41650. We kindly request that, if it is possible, also backport the fix to the 4.x release, like what we did in #792 and #807?

fast-xml-parser is a transitive dependency of the adaptive-expressions package provided by Microsoft. However, that package's upstream repo has been archived, so there is no supported place for us to request an upgrade to fast-xml-parser 5.x.

Thanks.

[amitguptagwl]

Hey @yuezk thanks for followup. CVE-2026-41650 is a hypothetical scenario because builder receives the input from parser which can't parse malicious data mentioned in the vulnerability. In 5.x, the fix was provided in fast-xml-builder package and dependency was updated in fast-xml-parser.

[yuezk]

Thanks, that makes sense for the parser -> builder round-trip case.

However, please correct me if I misunderstand: I think 4.x may still be affected for direct XMLBuilder usage. In 4.x, XMLBuilder is still bundled inside fast-xml-parser and exported from src/fxp.js via ./xmlbuilder/json2xml. That implementation appears to write commentPropName and cdataPropName values directly as <!--${val}--> and <![CDATA[${val}]]>.

So even if the parser cannot produce this input shape, applications using XMLBuilder directly from fast-xml-parser@4.x may still pass user-controlled values into comments or CDATA.

Would you consider either backporting the builder fix to 4.x, or updating/clarifying the advisory affected versions and notes so downstream users and vulnerability scanners can understand whether 4.x is considered affected?

Thanks again.

[amitguptagwl]

Yes that's correct if

• input is coming from untrusted source
• and app allows comments or cdata
• and attacker knows/guess app config

But I'll still fix in version 4.