From 13313dfc32ca88b821a0eaa234de65045fe33ec1 Mon Sep 17 00:00:00 2001
From: subratadeypappu <subrata@appsmith.com>
Date: Mon, 9 Mar 2026 17:18:40 +0600
Subject: [PATCH] fix: upgrade fast-xml-parser to 4.5.4 to resolve critical
 CVE-2026-25896 (#41595)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Description

Fixes a **critical** security vulnerability (CVE-2026-25896, CVSS 9.3)
in `fast-xml-parser` — an entity encoding bypass via regex injection in
DOCTYPE entity names that allows XSS and injection attacks when parsed
XML output is rendered.

This also resolves a **high-severity** DoS vulnerability (Dependabot
alert #510) — DoS through entity expansion in DOCTYPE with no expansion
limit.

**Vulnerable range**: `>= 4.1.3, < 4.5.4`
**Fix version**: `4.5.4`

### Changes

- **`package.json`**: Added `"fast-xml-parser": "4.5.4"` to Yarn
`resolutions` to override the transitive dependency (via `@smithy/core`
→ `@aws-sdk/client-s3`)
- **`recommendedLibraries.ts`**: Updated CDN URL from cdnjs `4.3.2` to
jsdelivr `4.5.4` (cdnjs does not yet host 4.5.4)
- **`Library_spec.ts`**: Updated Cypress E2E test CDN URLs from `4.2.7`
to `4.5.4`
- **`yarn.lock`**: Regenerated with `fast-xml-parser@4.5.4` resolution

### Note on v3.17.5 (legacy xmlParser)

The legacy `xmlParser` v3.17.5 referenced in `ApplicationConstants.java`
and test fixtures is **not affected** by this CVE (vulnerable range
starts at 4.1.3). It is already documented as deprecated for backward
compatibility.

Fixes Dependabot alert #511 (critical)
Fixes Dependabot alert #510 (high)
Fixes
https://linear.app/appsmith/issue/APP-14993/fix-upgrade-fast-xml-parser-to-454-to-resolve-critical-cve-2026-25896

## Automation

/ok-to-test tags="@tag.All"

### :mag: Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!IMPORTANT]
> 🟣 🟣 🟣 Your tests are running.
> Tests running at:
<https://github.com/appsmithorg/appsmith/actions/runs/22780449068>
> Commit: 707048a5b4983b25f4a195267230954f1f41ce1b
> Workflow: `PR Automation test suite`
> Tags: `@tag.All`
> Spec: ``
> <hr>Fri, 06 Mar 2026 20:20:26 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [x] Yes
- [ ] No

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated fast-xml-parser library to version 4.5.4 across the
application.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .../e2e/Regression/ClientSide/JSLibrary/Library_spec.ts   | 4 ++--
 app/client/package.json                                   | 3 ++-
 .../Editor/Explorer/Libraries/recommendedLibraries.ts     | 4 ++--
 app/client/yarn.lock                                      | 8 ++++----
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/app/client/cypress/e2e/Regression/ClientSide/JSLibrary/Library_spec.ts b/app/client/cypress/e2e/Regression/ClientSide/JSLibrary/Library_spec.ts
index 8a4aea90d91f..bd384d0f5331 100644
--- a/app/client/cypress/e2e/Regression/ClientSide/JSLibrary/Library_spec.ts
+++ b/app/client/cypress/e2e/Regression/ClientSide/JSLibrary/Library_spec.ts
@@ -70,7 +70,7 @@ describe(
       AppSidebar.navigate(AppSidebarButton.Libraries);
       installer.OpenInstaller();
       installer.InstallLibraryViaURL(
-        "https://cdn.jsdelivr.net/npm/fast-xml-parser@4.2.7/+esm",
+        "https://cdn.jsdelivr.net/npm/fast-xml-parser@4.5.4/+esm",
         "fast_xml_parser",
       );
       agHelper.Sleep(2000);
@@ -81,7 +81,7 @@ describe(
       // Reinstallation should succeed with the same accessor
       installer.OpenInstaller();
       installer.InstallLibraryViaURL(
-        "https://cdn.jsdelivr.net/npm/fast-xml-parser@4.2.7/+esm",
+        "https://cdn.jsdelivr.net/npm/fast-xml-parser@4.5.4/+esm",
         "fast_xml_parser",
       );
     });
diff --git a/app/client/package.json b/app/client/package.json
index db034f66cc3b..50e28f273169 100644
--- a/app/client/package.json
+++ b/app/client/package.json
@@ -434,6 +434,7 @@
     "undici": "6.21.2",
     "formidable": "2.1.3",
     "brace-expansion": "1.1.12",
-    "form-data": "4.0.4"
+    "form-data": "4.0.4",
+    "fast-xml-parser": "4.5.4"
   }
 }
diff --git a/app/client/src/pages/Editor/Explorer/Libraries/recommendedLibraries.ts b/app/client/src/pages/Editor/Explorer/Libraries/recommendedLibraries.ts
index 2c7acb74db45..877456b8d675 100644
--- a/app/client/src/pages/Editor/Explorer/Libraries/recommendedLibraries.ts
+++ b/app/client/src/pages/Editor/Explorer/Libraries/recommendedLibraries.ts
@@ -14,8 +14,8 @@ export default [
       "Validate XML, Parse XML to JS Object, or Build XML from JS Object without C/C++ based libraries and no callback.",
     author: "NaturalIntelligence",
     docsURL: "https://github.com/NaturalIntelligence/fast-xml-parser",
-    url: "https://cdnjs.cloudflare.com/ajax/libs/fast-xml-parser/4.3.2/fxparser.min.js",
-    version: "4.3.2",
+    url: "https://cdn.jsdelivr.net/npm/fast-xml-parser@4.5.4/src/fxp.min.js",
+    version: "4.5.4",
     icon: "https://img.jsdelivr.com/github.com/NaturalIntelligence.png",
   },
   {
diff --git a/app/client/yarn.lock b/app/client/yarn.lock
index ff72765c1ae1..87cf0c031bb4 100644
--- a/app/client/yarn.lock
+++ b/app/client/yarn.lock
@@ -19682,14 +19682,14 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fast-xml-parser@npm:4.4.1":
-  version: 4.4.1
-  resolution: "fast-xml-parser@npm:4.4.1"
+"fast-xml-parser@npm:4.5.4":
+  version: 4.5.4
+  resolution: "fast-xml-parser@npm:4.5.4"
   dependencies:
     strnum: ^1.0.5
   bin:
     fxparser: src/cli/cli.js
-  checksum: f440c01cd141b98789ae777503bcb6727393296094cc82924ae9f88a5b971baa4eec7e65306c7e07746534caa661fc83694ff437d9012dc84dee39dfbfaab947
+  checksum: 29db513a5f0ad5ac33691c27d67315ee22e041b5e8fa5982f8bccf46af400e35c576c17f3087f1b8d4cd81fa91519f5fda4b2a31441ff1bf7596ecc5e934f44d
   languageName: node
   linkType: hard