High severity CVE with fast-xml-parser

[MerlinMason]

Hey there,

I've noticed this alert for CVE-2023-34104 relating to fast-xml-parser which will require an update to at least version 5.3.6 to fix it.

yarn why fast-xml-parser
├─ @servicenow/sdk-api@npm:4.2.0
│  └─ fast-xml-parser@npm:4.4.1 (via npm:4.4.1)
│
└─ @servicenow/sdk-build-plugins@npm:4.2.0
   └─ fast-xml-parser@npm:4.4.1 (via npm:4.4.1)

Any plans to address this soon? Thanks!

[venkat-kaluva]

Hey @MerlinMason, looks like the CVE is patches in 4.2.4 according to the link you shared. And we are on 4.4.1.

We will look into upgrading it latest version in our next releases. Thanks

[venkat-kaluva]

Looks like there is a new one CVE-2026-25896, which is fixed in 5.3.5

[MerlinMason]

Oh yes sorry, I posted the wrong link - https://nvd.nist.gov/vuln/detail/CVE-2026-25896 is the correct one

[bryce-godfrey]

4.3.0 should resolve this

[MerlinMason]

Amazing, thanks!