CVE-2026-25896 (CRITICAL): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2026-25896	CRITICAL	fast-xml-parser	5.2.5	5.3.5	2026-02-20T21:19:27.47Z	2026-02-21T10:18:24.775842332Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/nodejs:latest	public.ecr.aws/lambda/nodejs@sha256:75324e6335efc458856ddcb49429a5806fa66c581529746296ded84f0f8fdd92
public.ecr.aws/lambda/nodejs:24	public.ecr.aws/lambda/nodejs@sha256:2ae0aecfac970190fe1fa2f9de439fb35340d285eb29a715ce6daf18eda7f54c
public.ecr.aws/lambda/nodejs:22	public.ecr.aws/lambda/nodejs@sha256:75324e6335efc458856ddcb49429a5806fa66c581529746296ded84f0f8fdd92
public.ecr.aws/lambda/nodejs:20	public.ecr.aws/lambda/nodejs@sha256:b1d950b97aaedc054c6c9c5409c98cf5c8f29de370a6f344113e1aeeaa441707

---

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

---

Remediation Steps

• Update the affected package fast-xml-parser from version 5.2.5 to 5.3.5.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.

[the-lambda-watchdog]

The vulnerability is no longer present in the latest Lambda Watchdog scans. Marking the issue as closed. 🤖