Skip to content

fix(deps): update @aws-sdk/client-s3 to fix CVE-2026-25896#17046

Merged
sfanahata merged 1 commit intomasterfrom
fix/dependabot-258-fast-xml-parser
Mar 19, 2026
Merged

fix(deps): update @aws-sdk/client-s3 to fix CVE-2026-25896#17046
sfanahata merged 1 commit intomasterfrom
fix/dependabot-258-fast-xml-parser

Conversation

@sfanahata
Copy link
Contributor

@sfanahata sfanahata commented Mar 19, 2026

DESCRIBE YOUR PR

Updates @aws-sdk/client-s3 from ^3.837.0 to ^3.1012.0 to resolve a critical security vulnerability in the transitive dependency fast-xml-parser.

Vulnerability Details

Field Value
CVE CVE-2026-25896
GHSA GHSA-m7jm-9gc2-mpf2
Severity CRITICAL (CVSS 9.3)
CWE CWE-185 (Incorrect Regular Expression)
Vulnerable fast-xml-parser >= 5.0.0, < 5.3.5
Fixed in fast-xml-parser 5.3.5+

Summary

A period (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing attackers to shadow built-in XML entities (&lt;, &gt;, &amp;, etc.) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Changes

  • Updated @aws-sdk/client-s3 to latest (3.1012.0)
  • This pulls in @aws-sdk/xml-builder which uses fast-xml-parser@5.5.6 (patched)

Verification

$ pnpm why fast-xml-parser
fast-xml-parser@5.3.6  ← from @google-cloud/storage (already patched)
fast-xml-parser@5.5.6  ← from @aws-sdk (now patched)

All tests pass (149/149).

Fixes https://github.com/getsentry/sentry-docs/security/dependabot/258

IS YOUR CHANGE URGENT?

  • Urgent deadline (GA date, etc.): Security vulnerability fix
  • Other deadline:
  • None: Not urgent, can wait up to 1 week+

PRE-MERGE CHECKLIST

  • Checked Vercel preview for correctness, including links
  • PR was reviewed and approved by any necessary SMEs (subject matter experts)
  • PR was reviewed and approved by a member of the Sentry docs team

fix(deps): update @aws-sdk/client-s3 to fix CVE-2026-25896
030a055 
Updates @aws-sdk/client-s3 from ^3.837.0 to ^3.1012.0 to resolve
critical vulnerability in transitive dependency fast-xml-parser.

CVE-2026-25896 (CVSS 9.3): Entity encoding bypass via regex injection
in DOCTYPE entity names allows XSS when parsed XML output is rendered.

Fixes: https://github.com/getsentry/sentry-docs/security/dependabot/258
@vercel
Copy link

vercel bot commented Mar 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
develop-docs Ready Ready Preview, Comment Mar 19, 2026 8:37pm
sentry-docs Ready Ready Preview, Comment Mar 19, 2026 8:37pm

Request Review

@sfanahata sfanahata requested review from chargome and sergical March 19, 2026 20:52
@sfanahata sfanahata merged commit 14c9cdc into master Mar 19, 2026
18 checks passed
@sfanahata sfanahata deleted the fix/dependabot-258-fast-xml-parser branch March 19, 2026 20:56
constantinius pushed a commit that referenced this pull request Mar 20, 2026
@sfanahata @constantinius
fix(deps): update @aws-sdk/client-s3 to fix CVE-2026-25896 (#17046)
c92c0aa 
## DESCRIBE YOUR PR

Updates `@aws-sdk/client-s3` from `^3.837.0` to `^3.1012.0` to resolve a
critical security vulnerability in the transitive dependency
`fast-xml-parser`.

### Vulnerability Details

| Field | Value |
|-------|-------|
| **CVE** |
[CVE-2026-25896](https://nvd.nist.gov/vuln/detail/CVE-2026-25896) |
| **GHSA** |
[GHSA-m7jm-9gc2-mpf2](GHSA-m7jm-9gc2-mpf2)
|
| **Severity** | **CRITICAL** (CVSS 9.3) |
| **CWE** | CWE-185 (Incorrect Regular Expression) |
| **Vulnerable** | `fast-xml-parser >= 5.0.0, < 5.3.5` |
| **Fixed in** | `fast-xml-parser 5.3.5+` |

### Summary

A period (`.`) in a DOCTYPE entity name is treated as a regex wildcard
during entity replacement, allowing attackers to shadow built-in XML
entities (`&lt;`, `&gt;`, `&amp;`, etc.) with arbitrary values. This
bypasses entity encoding and leads to XSS when parsed output is
rendered.

### Changes

- Updated `@aws-sdk/client-s3` to latest (`3.1012.0`)
- This pulls in `@aws-sdk/xml-builder` which uses
`fast-xml-parser@5.5.6` (patched)

### Verification

```
$ pnpm why fast-xml-parser
fast-xml-parser@5.3.6  ← from @google-cloud/storage (already patched)
fast-xml-parser@5.5.6  ← from @aws-sdk (now patched)
```

All tests pass (149/149).

Fixes https://github.com/getsentry/sentry-docs/security/dependabot/258

## IS YOUR CHANGE URGENT?

- [x] Urgent deadline (GA date, etc.): Security vulnerability fix
- [ ] Other deadline:
- [ ] None: Not urgent, can wait up to 1 week+

## PRE-MERGE CHECKLIST

- [x] Checked Vercel preview for correctness, including links
- [ ] PR was reviewed and approved by any necessary SMEs (subject matter
experts)
- [ ] PR was reviewed and approved by a member of the [Sentry docs
team](https://github.com/orgs/getsentry/teams/docs)

Co-authored-by: Shannon Anahata <shannonanahata@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sergical sergical sergical approved these changes

@chargome chargome Awaiting requested review from chargome

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sfanahata @sergical