CVE-2026-25128
HIGHfast-xml-parser 5.0.9-5.3.3 - Denial of Service via Out-of-Range XML Entity Code Points
Title source: llmDescription
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh
Patch x_refsource_misc
https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc
Release Notes x_refsource_misc
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4
Scores
CVSS v3
7.5
EPSS
0.0056
EPSS Percentile
41.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-248
CWE-20
Status
published
Products (2)
naturalintelligence/fast-xml-parser
5.0.9 - 5.3.4
npm/fast-xml-parser
5.0.9 - 5.3.4npm
Published
Jan 30, 2026
Tracked Since
Feb 18, 2026