CVE-2026-25128
RangeError Crash in fast-xml-parser via Malformed Numeric Entities
Publication date: 2026-01-30
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| naturalintelligence | fast-xml-parser | From 5.0.9 (inc) to 5.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in fast-xml-parser versions 4.3.6 through 5.3.3 occurs when parsing XML containing numeric entities with out-of-range Unicode code points (e.g., � or �). The parser attempts to convert these invalid code points using String.fromCodePoint(), which throws an uncaught RangeError exception. This causes the parser and any application using it to crash when processing untrusted XML input. [2]
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) by crashing any application that processes untrusted XML input using fast-xml-parser. This includes API servers, file processors, message queues, RSS/Atom feed parsers, and SOAP/XML-RPC services. A single malicious XML payload with out-of-range numeric entities can crash the entire Node.js process, causing service disruption until the application is manually restarted. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring applications that use fast-xml-parser versions 4.3.6 through 5.3.3 for crashes or unhandled exceptions when processing XML input containing out-of-range numeric entities such as '�' or '�'. A practical detection method is to send crafted XML payloads with these out-of-range numeric entities to the application and observe if it crashes or throws uncaught exceptions. For example, you can use curl to send a POST request with malicious XML to a vulnerable Node.js HTTP server: curl -X POST -H "Content-Type: application/xml" --data '<root>�</root>' http://target-server/endpoint If the server crashes or throws an error, it is vulnerable. Additionally, reviewing application logs for RangeError exceptions related to String.fromCodePoint during XML parsing can help detect the issue. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the fast-xml-parser library to version 5.3.4 or later, which includes a fix that properly handles out-of-range numeric HTML entities by skipping their conversion and preventing uncaught exceptions. If upgrading is not immediately possible, consider implementing input validation or sanitization to reject or filter XML inputs containing out-of-range numeric entities before parsing. Monitoring and restarting affected services upon crashes can also reduce downtime until the patch is applied. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.