High severityOSV Advisory· Published Jan 30, 2026· Updated Feb 11, 2026
fast-xml-parser has RangeError DoS Numeric Entities Bug
CVE-2026-25128
Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-xml-parsernpm | >= 5.0.9, < 5.3.4 | 5.3.4 |
Affected products
43- Range: v5.0.9, v5.1.0, v5.2.0, …
- osv-coords42 versionspkg:apk/chainguard/dbgatepkg:apk/chainguard/dbgate-fipspkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/tileserver-glpkg:npm/fast-xml-parserpkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 7.0.0-r1+ 41 more
- (no CPE)range: < 7.0.0-r1
- (no CPE)range: < 7.0.1-r0
- (no CPE)range: < 2.11.0-r14
- (no CPE)range: < 8.17.10-r8
- (no CPE)range: < 8.17.10-r8
- (no CPE)range: < 8.18.8-r8
- (no CPE)range: < 8.18.8-r8
- (no CPE)range: < 8.19.10-r3
- (no CPE)range: < 8.19.10-r3
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.3.0-r1
- (no CPE)range: < 9.3.0-r1
- (no CPE)range: < 2.15.0-r10
- (no CPE)range: < 2.95.12-r8
- (no CPE)range: < 3.150.0-r0
- (no CPE)range: < 3.153.0-r2
- (no CPE)range: < 2.95.12-r9
- (no CPE)range: < 3.152.0-r0
- (no CPE)range: < 3.153.0-r1
- (no CPE)range: < 0.8.2-r3
- (no CPE)range: < 3.4.0-r3
- (no CPE)range: < 3.4.0-r4
- (no CPE)range: < 5.14.3-r5
- (no CPE)range: < 43.3.1-r0
- (no CPE)range: < 5.5.0-r4
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 2.11.0-r14
- (no CPE)range: < 2.15.0-r10
- (no CPE)range: < 3.150.0-r0
- (no CPE)range: < 3.153.0-r2
- (no CPE)range: < 3.4.0-r3
- (no CPE)range: < 5.14.3-r5
- (no CPE)range: < 43.3.1-r0
- (no CPE)range: < 5.5.0-r4
- (no CPE)range: >= 5.0.9, < 5.3.4
- (no CPE)range: < 0.7.0.4.git185.a5708584-2.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-37qj-frw5-hhjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25128ghsaADVISORY
- github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dcghsax_refsource_MISCWEB
- github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4ghsax_refsource_MISCWEB
- github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.