CVE-2026-25128

EUVD-2026-5026

30.01.2026, 16:16

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
naturalintelligence	fast-xml-parser	5.0.9 ≤ 𝑥 < 5.3.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-webfont

bookworm	11.4.0+dfsg2+~cs35.7.26-7 fixed
forky	11.4.0+dfsg2+~cs35.7.26-18 fixed
sid	11.4.0+dfsg2+~cs35.7.26-18 fixed
trixie	11.4.0+dfsg2+~cs35.7.26-13 fixed

Known Exploits!

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc

https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh