CVE-2026-25128
HIGH
GHSA-37qj-frw5-hhjh
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Analysis
Fast-xml-parser versions 5.0.9 through 5.3.3 crash when processing XML containing out-of-range numeric entity code points, allowing remote attackers to cause denial of service against applications parsing untrusted XML input. Public exploit code exists for this vulnerability. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and systems using fast-xml-parser and document their versions and deployment locations. Within 7 days: Apply the available vendor patch to all affected systems, prioritizing production environments and customer-facing applications. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today