Range error vulnerability in fast-xml-parser dependency: CVE-2026-25128

[thepeted]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Not applicable

Amplify Version

v6

Amplify Categories

auth, Not applicable

Backend

None

Environment information

Details

{
... 
"aws-amplify": "6.16.0" 
...
}

Describe the bug

aws-amplify package currently depends on versions of fast-xml-parser that have a security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2026-25128.

aws-amplify:6.16.0
 └ @aws-amplify/storage:6.12.0
 └ fast-xml-parser:4.5.1

aws-amplify:6.16.0
 └ @aws-amplify/storage:6.12.0
 └ fast-xml-parser:4.5.1

Expected behavior

aws-amplify package should not depend on vulnerable versions of fast-xml-parser in range >=4.3.6 <=5.3.3 and should be updated to patched versions >=5.3.4

Reproduction steps

1. install eg: npm i aws-amplify@6
2. run npm audit

Code Snippet

// Put your code below this line.

Log output

Details

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ fast-xml-parser has RangeError DoS Numeric Entities    │
│                     │ Bug                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ fast-xml-parser                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.3.6 <=5.3.3                                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=5.3.4                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ apps__consumer>aws-amplify>@aws-amplify/               │
│                     │ analytics>@aws-sdk/client-firehose>@aws-sdk/core>fast- │
│                     │ xml-parser                                             │
│                     │                                                        │
│                     │ apps__consumer>aws-amplify>@aws-amplify/storage>fast-  │
│                     │ xml-parser                                             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-37qj-frw5-hhjh      │
└─────────────────────┴────────────────────────────────────────────────────────┘

[Simone319]

Hello @thepeted , thank you for raising this issue. We have merged the PR:#14699 to fix this vulnerability, and we will work on a release as soon as possible.

We will keep this issue updated with the latest status of the fix.

[diego-santacruz]

Thanks! But note that PR #14699 only solves the direct dependency on fast-xml-parser but not the indirect dependency via the aws-sdk. The problem is that various aws-amplify packages depend on the exact 3.723.0 (i.e. no caret) version of @aws-sdk/types, @aws-sdk/client-firehose, @aws-sdk/client-kinesis and @aws-sdk/client-personalize-events so they pull various aws-sdk packages at old versions which depend on a vulnerable version of fast-xml-parser.

Wouldn't it be better to use a caret dependency for all the @aws-sdk/* dependencies to avoid this? The aws-sdk has a well defined interface, so it should not be necessary to pin an exact version.

Not using a caret also forces users that need the aws-sdk to have duplicate packages, or stick with old versions of the aws-sdk, leading to a lot less efficient bundling.

[pranavosu]

Hey @diego-santacruz

We're working on a separate PR to bump @aws-sdk/* to 3.982.0 for the transitive path.

Regarding caret versions: the AWS SDK has shipped breaking changes in minor versions despite semver (#4153, #4122, #3768). Given daily releases and these incidents, we pin for stability over bundle optimization.

For bundle deduplication, you can use npm overrides or yarn resolutions to force a single SDK version project-wide.

[diego-santacruz]

Hey @diego-santacruz

We're working on a separate PR to bump @aws-sdk/* to 3.982.0 for the transitive path.

OK, thanks for the heads up.

Regarding caret versions: the AWS SDK has shipped breaking changes in minor versions despite semver (#6810, #4153, #4122, #3768). Given daily releases and these incidents, we pin for stability over bundle optimization.

OK, I see.

For bundle deduplication, you can use npm overrides or yarn resolutions to force a single SDK version project-wide.

Yes, that was what I was planning to do, a bit cumbersome to maintain but it works out pretty well.