CVE-2026-25128
HIGHNPM Fast-xml-parser < 5.3.4 - Improper Input Validation
Title source: ruleDescription
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Scores
CVSS v3
7.5
EPSS
0.0005
EPSS Percentile
16.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Classification
CWE
CWE-248
CWE-20
Status
published
Affected Products (2)
npm/fast-xml-parser
< 5.3.4npm
naturalintelligence/fast-xml-parser
< 5.3.4
Timeline
Published
Jan 30, 2026
Tracked Since
Feb 18, 2026