CVE-2026-25128
📋 TL;DR
A vulnerability in fast-xml-parser versions 4.3.6 through 5.3.3 allows attackers to cause denial of service by sending XML with out-of-range numeric entity code points (like �). This causes an uncaught RangeError exception that crashes any application using the library to parse untrusted XML input. All applications using vulnerable versions of fast-xml-parser are affected.
💻 Affected Systems
- fast-xml-parser
📦 What is this software?
Fast Xml Parser by Naturalintelligence
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash leading to denial of service, potentially disrupting critical business functions if the application handles mission-critical XML processing.
Likely Case
Application crashes when processing malicious XML input, causing service disruption until the application restarts.
If Mitigated
Minimal impact if XML input is validated/sanitized before reaching the parser or if proper error handling catches the exception.
🎯 Exploit Status
Exploitation is trivial - simply send XML containing out-of-range numeric entities like � or �. The advisory includes proof-of-concept examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.3.4
Vendor Advisory: https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh
Restart Required: Yes
Instructions:
1. Update fast-xml-parser to version 5.3.4 or later using npm: npm update fast-xml-parser
2. Restart any applications using the library
3. Test XML parsing functionality to ensure compatibility
🔧 Temporary Workarounds
Input Validation/Sanitization
allValidate and sanitize XML input before passing to fast-xml-parser to remove or escape numeric entities with out-of-range values.
Error Handling Wrapper
allWrap fast-xml-parser calls in try-catch blocks to handle RangeError exceptions gracefully without crashing the application.
🧯 If You Can't Patch
- Implement strict input validation to reject XML containing numeric entities with values outside valid Unicode ranges
- Deploy application-level monitoring and automatic restart mechanisms to minimize downtime from crashes
🔍 How to Verify
Check if Vulnerable:
Check package.json or run: npm list fast-xml-parser | grep fast-xml-parserCheck Version:
npm list fast-xml-parser | grep fast-xml-parserVerify Fix Applied:
After updating, verify version is 5.3.4 or later with: npm list fast-xml-parser📡 Detection & Monitoring
Log Indicators:
- RangeError exceptions in application logs
- Application crash/restart events
- Uncaught exception stack traces mentioning fast-xml-parser
Network Indicators:
- Incoming XML payloads containing numeric entities with extremely high values (e.g., �)
SIEM Query:
source="application_logs" AND ("RangeError" OR "fast-xml-parser" OR "uncaught exception")