CVE-2026-25128
Unknown Unknown - Not Provided
RangeError Crash in fast-xml-parser via Malformed Numeric Entities

Publication date: 2026-01-30

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25128
EUVD
EUVD-2026-5026
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
naturalintelligence fast-xml-parser From 5.0.9 (inc) to 5.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in fast-xml-parser versions 4.3.6 through 5.3.3 occurs when parsing XML containing numeric entities with out-of-range Unicode code points (e.g., � or �). The parser attempts to convert these invalid code points using String.fromCodePoint(), which throws an uncaught RangeError exception. This causes the parser and any application using it to crash when processing untrusted XML input. [2]

Impact Analysis

The vulnerability can cause a Denial of Service (DoS) by crashing any application that processes untrusted XML input using fast-xml-parser. This includes API servers, file processors, message queues, RSS/Atom feed parsers, and SOAP/XML-RPC services. A single malicious XML payload with out-of-range numeric entities can crash the entire Node.js process, causing service disruption until the application is manually restarted. [2]

Detection Guidance

This vulnerability can be detected by monitoring applications that use fast-xml-parser versions 4.3.6 through 5.3.3 for crashes or unhandled exceptions when processing XML input containing out-of-range numeric entities such as '&#9999999;' or '&#xFFFFFF;'. A practical detection method is to send crafted XML payloads with these out-of-range numeric entities to the application and observe if it crashes or throws uncaught exceptions. For example, you can use curl to send a POST request with malicious XML to a vulnerable Node.js HTTP server: curl -X POST -H "Content-Type: application/xml" --data '<root>&#9999999;</root>' http://target-server/endpoint If the server crashes or throws an error, it is vulnerable. Additionally, reviewing application logs for RangeError exceptions related to String.fromCodePoint during XML parsing can help detect the issue. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the fast-xml-parser library to version 5.3.4 or later, which includes a fix that properly handles out-of-range numeric HTML entities by skipping their conversion and preventing uncaught exceptions. If upgrading is not immediately possible, consider implementing input validation or sanitization to reject or filter XML inputs containing out-of-range numeric entities before parsing. Monitoring and restarting affected services upon crashes can also reduce downtime until the patch is applied. [1, 3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart