fix: upgrade fast-xml-parser to 4.5.4 to resolve critical CVE-2026-25896

[subrata71]

Description

Fixes a critical security vulnerability (CVE-2026-25896, CVSS 9.3) in fast-xml-parser — an entity encoding bypass via regex injection in DOCTYPE entity names that allows XSS and injection attacks when parsed XML output is rendered.

This also resolves a high-severity DoS vulnerability (Dependabot alert https://github.com/appsmithorg/appsmith/security/dependabot/510) — DoS through entity expansion in DOCTYPE with no expansion limit.

Vulnerable range: >= 4.1.3, < 4.5.4
Fix version: 4.5.4

Changes

• package.json: Added "fast-xml-parser": "4.5.4" to Yarn resolutions to override the transitive dependency (via @smithy/core → @aws-sdk/client-s3)
• recommendedLibraries.ts: Updated CDN URL from cdnjs 4.3.2 to jsdelivr 4.5.4 (cdnjs does not yet host 4.5.4)
• Library_spec.ts: Updated Cypress E2E test CDN URLs from 4.2.7 to 4.5.4
• yarn.lock: Regenerated with fast-xml-parser@4.5.4 resolution

Note on v3.17.5 (legacy xmlParser)

The legacy xmlParser v3.17.5 referenced in ApplicationConstants.java and test fixtures is not affected by this CVE (vulnerable range starts at 4.1.3). It is already documented as deprecated for backward compatibility.

Fixes Dependabot alert https://github.com/appsmithorg/appsmith/security/dependabot/511 (critical)
Fixes Dependabot alert https://github.com/appsmithorg/appsmith/security/dependabot/510 (high)
Fixes https://linear.app/appsmith/issue/APP-14993/fix-upgrade-fast-xml-parser-to-454-to-resolve-critical-cve-2026-25896

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Important

🟣 🟣 🟣 Your tests are running.
Tests running at: https://github.com/appsmithorg/appsmith/actions/runs/22780449068
Commit: 707048a
Workflow: PR Automation test suite
Tags: @tag.All
Spec: ``

---

Fri, 06 Mar 2026 20:20:26 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated fast-xml-parser library to version 4.5.4 across the application.

[coderabbitai]

Walkthrough

A straightforward version upgrade of the fast-xml-parser library from 4.2.7/4.3.2 to 4.5.4, including updates to test fixtures, package.json dependencies, and the recommended libraries configuration. CDN URL changed from CDNJS to JSDelivr.

Changes

Cohort / File(s)	Summary
Fast-xml-parser Version Upgrade app/client/cypress/e2e/Regression/ClientSide/JSLibrary/Library_spec.ts, app/client/package.json, app/client/src/pages/Editor/Explorer/Libraries/recommendedLibraries.ts	Updated fast-xml-parser from 4.2.7/4.3.2 to 4.5.4 across test fixtures, package dependencies, and recommended libraries list. CDN source changed from CDNJS to JSDelivr for the new version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🚀 From 4.3 to 4.5.4 we go,
XML parsing, fast and clean,
JSDelivr's the route we now know,
Dependencies updated, smooth routine! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: upgrading fast-xml-parser to resolve a critical CVE.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description comprehensively addresses the template requirements with clear CVE details, vulnerability context, specific file changes, and proper automation tags.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/fast-xml-parser-CVE-2026-25896

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[linear]

APP-14993 fix: upgrade fast-xml-parser to 4.5.4 to resolve critical CVE-2026-25896