CVE-2026-25128
Published: 30 January 2026
Summary
CVE-2026-25128 is a high-severity Improper Input Validation (CWE-20) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25128 is a RangeError vulnerability in the fast-xml-parser JavaScript library, which enables XML validation, parsing to JavaScript objects, or building XML from objects without C/C++ dependencies or callbacks. The issue affects versions 5.0.9 through 5.3.3, where processing numeric entities with out-of-range code points, such as � or �, triggers an uncaught exception during XML parsing. This flaw, linked to CWE-20 (Improper Input Validation) and CWE-248 (Uncaught Exception), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.
Attackers can exploit this remotely over the network with low complexity and no authentication or user interaction required. By supplying untrusted XML input containing malformed numeric entities to any application relying on the vulnerable fast-xml-parser versions, an attacker induces a crash via the uncaught RangeError exception. The result is a denial-of-service condition, halting the application and potentially disrupting services that process XML, such as web APIs or data pipelines.
Mitigation involves upgrading to fast-xml-parser version 5.3.4, which addresses the entity processing flaw. The fix is detailed in the project's GitHub security advisory (GHSA-37qj-frw5-hhjh), the release notes for v5.3.4, and the patching commit (4e387f61c4a5cef792f6a2f42467013290bf95dc). Security practitioners should audit dependencies and apply the update promptly for affected Node.js or browser-based applications.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5026
Vulnerability details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser…
more
when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote DoS via malformed XML input triggering uncaught RangeError in the parser (CWE-20/248), matching application/system exploitation for endpoint availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires upgrading fast-xml-parser to version 5.3.4, directly eliminating the RangeError vulnerability during numeric entity processing.
Error handling ensures uncaught RangeError exceptions from out-of-range XML entities are managed gracefully, preventing application crashes and DoS.
Information input validation rejects XML inputs with out-of-range numeric entities before they reach the vulnerable fast-xml-parser, avoiding the crash condition.