You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., &#​9999999; or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.
Details
The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:
The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:
[0-9]{1,7} matches up to 9,999,999
[0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)
The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:
val=val.replace(entity.regex,entity.val);
This causes the RangeError to propagate uncaught, crashing the parser and any application using it.
consthttp=require('http');const{ XMLParser }=require('fast-xml-parser');constparser=newXMLParser({processEntities: true,htmlEntities: true});http.createServer((req,res)=>{if(req.method==='POST'&&req.url==='/parse'){letbody='';req.on('data',c=>body+=c);req.on('end',()=>{constresult=parser.parse(body);// No try-catch - will crash!res.end(JSON.stringify(result));});}else{res.end('POST /parse with XML body');}}).listen(3000,()=>console.log('http://localhost:3000'));
Run
# Setup
npm install
# Terminal 1: Start server
node server.js
# Terminal 2: Send malicious payload (server will crash)
curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#​9999999;</root>' http://localhost:3000/parse
Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:
API servers accepting XML payloads
File processors parsing uploaded XML files
Message queues consuming XML messages
RSS/Atom feed parsers
SOAP/XML-RPC services
A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.
renovatebot
changed the title
chore(deps): update dependency fast-xml-parser to v5.3.4 [security]
chore(deps): update dependency fast-xml-parser to v5.3.4 [security] - autoclosed
Jan 31, 2026
renovatebot
changed the title
chore(deps): update dependency fast-xml-parser to v5.3.4 [security] - autoclosed
chore(deps): update dependency fast-xml-parser to v5.3.4 [security]
Feb 6, 2026
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
changed the title
This PR contains the following updates:
5.2.5→5.3.4GitHub Vulnerability Alerts
CVE-2026-25128
Summary
A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g.,
&#​9999999;or�). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.Details
The vulnerability exists in
/src/xmlparser/OrderedObjParser.jsat lines 44-45:The
String.fromCodePoint()method throws aRangeErrorwhen the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:[0-9]{1,7}matches up to 9,999,999[0-9a-fA-F]{1,6}matches up to 0xFFFFFF (16,777,215)The entity replacement in
replaceEntitiesValue()(line 452) has no try-catch:This causes the RangeError to propagate uncaught, crashing the parser and any application using it.
PoC
Setup
Create a directory with these files:
package.json
{ "dependencies": { "fast-xml-parser": "^5.3.3" } }server.js
Run
Result
Server crashes with:
Alternative Payloads
Impact
Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:
A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.
Release Notes
NaturalIntelligence/fast-xml-parser (fast-xml-parser)
v5.3.4: fix: handle HTML numeric and hex entities when out of rangeCompare Source
v5.3.3: bug fix and performance improvementsCompare Source
v5.3.2Compare Source
v5.3.1Compare Source
v5.3.0Compare Source
Configuration
📅 Schedule: Branch creation - "" in timezone America/Vancouver, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.