CVE-2026-25128

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.3.6 through 5.3.3

Description fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError occurs in the numeric entity processing when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. The issue is due to the String.fromCodePoint() method throwing a RangeError when the code point exceeds the valid Unicode range. The regex patterns used to capture numeric entities can match values exceeding this range. The entity replacement process lacks a try-catch block, allowing the RangeError to propagate and crash the parser. A proof-of-concept demonstrates that sending a malicious XML payload with an out-of-range numeric entity can crash a Node.js server using fast-xml-parser. This can lead to a denial of service in applications processing untrusted XML input, such as API servers, file processors, message queues, RSS/Atom feed parsers, and SOAP/XML-RPC services.

Recommendations Update to fast-xml-parser version 5.3.4 or later.