Cyber Resilience

CVE-2026-25128

HighPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 22.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25128 is a high-severity Improper Input Validation (CWE-20) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25128 is a RangeError vulnerability in the fast-xml-parser JavaScript library, which enables XML validation, parsing to JavaScript objects, or building XML from objects without C/C++ dependencies or callbacks. The issue affects versions 5.0.9 through 5.3.3, where processing numeric entities with out-of-range code points, such as � or �, triggers an uncaught exception during XML parsing. This flaw, linked to CWE-20 (Improper Input Validation) and CWE-248 (Uncaught Exception), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.

Attackers can exploit this remotely over the network with low complexity and no authentication or user interaction required. By supplying untrusted XML input containing malformed numeric entities to any application relying on the vulnerable fast-xml-parser versions, an attacker induces a crash via the uncaught RangeError exception. The result is a denial-of-service condition, halting the application and potentially disrupting services that process XML, such as web APIs or data pipelines.

Mitigation involves upgrading to fast-xml-parser version 5.3.4, which addresses the entity processing flaw. The fix is detailed in the project's GitHub security advisory (GHSA-37qj-frw5-hhjh), the release notes for v5.3.4, and the patching commit (4e387f61c4a5cef792f6a2f42467013290bf95dc). Security practitioners should audit dependencies and apply the update promptly for affected Node.js or browser-based applications.

EU & UK References

Vulnerability details

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser…

more

when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability directly enables remote DoS via malformed XML input triggering uncaught RangeError in the parser (CWE-20/248), matching application/system exploitation for endpoint availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33036Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-26278Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-27942Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-25896Same product: Naturalintelligence Fast-Xml-Parser
CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2025-20171Shared CWE-248
CVE-2026-34752Shared CWE-248
CVE-2025-70123Shared CWE-20
CVE-2026-43988Shared CWE-248

Affected Assets

naturalintelligence
fast-xml-parser
5.0.9 — 5.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires upgrading fast-xml-parser to version 5.3.4, directly eliminating the RangeError vulnerability during numeric entity processing.

prevent

Error handling ensures uncaught RangeError exceptions from out-of-range XML entities are managed gracefully, preventing application crashes and DoS.

prevent

Information input validation rejects XML inputs with out-of-range numeric entities before they reach the vulnerable fast-xml-parser, avoiding the crash condition.

References