Mistersiddd

**Name of the Vulnerable Software and Affected Versions** fast-xml-parser versions 4.3.6 through 5.3.3 **Description** fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError occurs in the numeric entity processing when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. The issue is due to the `String.fromCodePoint()` method throwing a `RangeError` when the code point exceeds the valid Unicode range. The regex patterns used to capture numeric entities can match values exceeding this range. The entity replacement process lacks a try-catch block, allowing the `RangeError` to propagate and crash the parser. A proof-of-concept demonstrates that sending a malicious XML payload with an out-of-range numeric entity can crash a Node.js server using fast-xml-parser. This can lead to a denial of service in applications processing untrusted XML input, such as API servers, file processors, message queues, RSS/Atom feed parsers, and SOAP/XML-RPC services. **Recommendations** Update to fast-xml-parser version 5.3.4 or later.

**Name of the Vulnerable Software and Affected Versions** node-tar versions prior to 7.5.7 **Description** The node-tar software has an issue where the security check for hardlink entries uses different path resolution logic than the actual hardlink creation process. This discrepancy allows a malicious TAR archive to circumvent path traversal protections and create hardlinks to files outside the intended extraction directory. **Recommendations** Update to version 7.5.7 or later.