Vulnerability Details CVE-2026-25128
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.8%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-25128
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.0.9
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.1.0
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.2.0
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.2.1
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.2.2
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.2.3
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.2.4
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.2.5
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.3.0
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.3.1
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.3.2
-
cpe:2.3:a:naturalintelligence:fast-xml-parser:5.3.3