7.5
CVE-2026-25128
- EPSS 0.56%
- Veröffentlicht 30.01.2026 15:14:58
- Zuletzt bearbeitet 27.02.2026 20:22:44
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
fast-xml-parser has RangeError DoS Numeric Entities Bug
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Naturalintelligence ≫ Fast-xml-parser Version >= 5.0.9 < 5.3.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.56% | 0.42 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-248 Uncaught Exception
An exception is thrown from a function, but it is not caught.
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh
https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4