GHSA-37qj-frw5-hhjh

Опубликовано: 30 янв. 2026

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

fast-xml-parser has RangeError DoS Numeric Entities Bug

Summary

A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., &#9999999; or &#xFFFFFF;). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.

Details

The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:

"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },

The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:

[0-9]{1,7} matches up to 9,999,999
[0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)

The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:

val = val.replace(entity.regex, entity.val);

This causes the RangeError to propagate uncaught, crashing the parser and any application using it.

PoC

Setup

Create a directory with these files:

poc/ ├── package.json ├── server.js

package.json

{ "dependencies": { "fast-xml-parser": "^5.3.3" } }

server.js

Run

# Setup npm install # Terminal 1: Start server node server.js # Terminal 2: Send malicious payload (server will crash) curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#9999999;</root>' http://localhost:3000/parse

Result

Server crashes with:

RangeError: Invalid code point 9999999

Alternative Payloads

<?xml version="1.0"?><root>&#xFFFFFF;</root>  <?xml version="1.0"?><root attr="&#9999999;"/>

Impact

Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:

API servers accepting XML payloads
File processors parsing uploaded XML files
Message queues consuming XML messages
RSS/Atom feed parsers
SOAP/XML-RPC services

A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.

Ссылки

Пакеты

Наименование

fast-xml-parser

npm

Затронутые версииВерсия исправления

>= 4.3.6, <= 5.3.3

5.3.4

EPSS

Процентиль: 22%

0.00072

Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-25128

Дефекты

CWE-248

Связанные уязвимости

CVE-2026-25128

CVSS3: 7.5

ubuntu

8 дней назад

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

CVE-2026-25128

CVSS3: 7.5

nvd

8 дней назад

CVE-2026-25128

CVSS3: 7.5

debian

8 дней назад

fast-xml-parser allows users to validate XML, parse XML to JS object, ...

EPSS

Процентиль: 22%

0.00072

Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-25128

Дефекты

CWE-248