npm package
fast-xml-parser
pkg:npm/fast-xml-parser
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41650 | Med | 6.1 | < 5.7.0 | 5.7.0 | May 7, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This | |
| CVE-2026-33349 | — | >= 4.0.0-beta.3, < 4.5.5 | 4.5.5 | Mar 24, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration | ||
| CVE-2026-33036 | — | >= 5.0.0, < 5.5.6 | 5.5.6 | Mar 20, 2026 | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa | ||
| CVE-2026-27942 | — | >= 5.0.0, < 5.3.8 | 5.3.8 | Feb 26, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 | ||
| CVE-2026-25896 | — | >= 5.0.0, < 5.3.5 | 5.3.5 | Feb 20, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an att | ||
| CVE-2026-26278 | — | >= 4.1.3, < 4.5.4 | 4.5.4 | Feb 19, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu | ||
| CVE-2026-25128 | — | >= 5.0.9, < 5.3.4 | 5.3.4 | Jan 30, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML | ||
| CVE-2024-41818 | — | >= 4.3.5, < 4.4.1 | 4.4.1 | Jul 29, 2024 | fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1. | ||
| CVE-2023-26920 | — | < 4.1.2 | 4.1.2 | Dec 12, 2023 | fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. | ||
| CVE-2023-34104 | — | >= 4.1.3, < 4.2.4 | 4.2.4 | Jun 6, 2023 | fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can a |
- affected < 5.7.0fixed 5.7.0
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This
- CVE-2026-33349Mar 24, 2026affected >= 4.0.0-beta.3, < 4.5.5fixed 4.5.5
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration
- CVE-2026-33036Mar 20, 2026affected >= 5.0.0, < 5.5.6fixed 5.5.6
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa
- CVE-2026-27942Feb 26, 2026affected >= 5.0.0, < 5.3.8fixed 5.3.8
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8
- CVE-2026-25896Feb 20, 2026affected >= 5.0.0, < 5.3.5fixed 5.3.5
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an att
- CVE-2026-26278Feb 19, 2026affected >= 4.1.3, < 4.5.4fixed 4.5.4
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML inpu
- CVE-2026-25128Jan 30, 2026affected >= 5.0.9, < 5.3.4fixed 5.3.4
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML
- CVE-2024-41818Jul 29, 2024affected >= 4.3.5, < 4.4.1fixed 4.4.1
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
- CVE-2023-26920Dec 12, 2023affected < 4.1.2fixed 4.1.2
fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution.
- CVE-2023-34104Jun 6, 2023affected >= 4.1.3, < 4.2.4fixed 4.2.4
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can a