Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Published: 2026-01-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unhandled RangeError in XML parsing
Action: Patch
AI Analysis

Impact

fast-xml-parser versions 5.0.9 through 5.3.3 contain a numeric entity processing flaw that causes a RangeError when the parser encounters an out‑of‑range code point such as &#9999999; or &#xFFFFFF;. This exception is not caught by the library, leading to an uncaught crash of any application that uses the parser on untrusted XML input. The resulting failure of the application is limited to denial of service and does not provide the attacker with further code execution or privilege escalation.

Affected Systems

The vulnerability affects the NaturalIntelligence fast‑xml‑parser package for Node.js. All releases from 5.0.9 up to and including 5.3.3 are impacted; the issue was fixed in release 5.3.4 and later versions are considered safe.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity attack. The EPSS score of less than 1% signals a very low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is that an attacker can submit crafted XML data – either via an API endpoint, file upload, or configuration file – that contains malformed numeric entities. Upon parsing, the application will throw an uncaught RangeError and terminate, resulting in a denial of service. Because the flaw is triggered by untrusted input, it is feasible for remote exploitation in applications that expose XML data processing services.

Generated by OpenCVE AI on April 18, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-xml-parser to version 5.3.4 or later
  • Validate XML input to reject numeric entities with code points outside the valid Unicode range before sending them to the parser
  • Wrap parser calls in a try/catch block to handle RangeError exceptions and prevent application crashes

Generated by OpenCVE AI on April 18, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-37qj-frw5-hhjh fast-xml-parser has RangeError DoS Numeric Entities Bug
History

Fri, 27 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*

Wed, 11 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue. fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-parser
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-parser

Sat, 31 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Title fast-xml-parser has RangeError DoS Numeric Entities Bug
Weaknesses CWE-20
CWE-248
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Naturalintelligence Fast-xml-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-11T18:38:40.192Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25128

cve-icon Vulnrichment

Updated: 2026-01-30T15:40:48.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T16:16:14.123

Modified: 2026-02-27T20:22:44.700

Link: CVE-2026-25128

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-30T15:14:58Z

Links: CVE-2026-25128 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses