CVE-2026-25128
Published: 30 January 2026
Summary
CVE-2026-25128 is a high-severity Improper Input Validation (CWE-20) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Prevents abrupt termination from uncaught exceptions by requiring a defined, preserved-state failure mode.
Directly implements checks on information inputs to reject invalid data before processing.
Requires pre-defined safe responses for uncaught exceptions so they do not result in undefined or insecure program termination.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables remote DoS via malformed XML input triggering uncaught RangeError in the parser (CWE-20/248), matching application/system exploitation for endpoint availability impact.
NVD Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser…
more
when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Deeper analysisAI
CVE-2026-25128 is a RangeError vulnerability in the fast-xml-parser JavaScript library, which enables XML validation, parsing to JavaScript objects, or building XML from objects without C/C++ dependencies or callbacks. The issue affects versions 5.0.9 through 5.3.3, where processing numeric entities with out-of-range code points, such as � or �, triggers an uncaught exception during XML parsing. This flaw, linked to CWE-20 (Improper Input Validation) and CWE-248 (Uncaught Exception), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.
Attackers can exploit this remotely over the network with low complexity and no authentication or user interaction required. By supplying untrusted XML input containing malformed numeric entities to any application relying on the vulnerable fast-xml-parser versions, an attacker induces a crash via the uncaught RangeError exception. The result is a denial-of-service condition, halting the application and potentially disrupting services that process XML, such as web APIs or data pipelines.
Mitigation involves upgrading to fast-xml-parser version 5.3.4, which addresses the entity processing flaw. The fix is detailed in the project's GitHub security advisory (GHSA-37qj-frw5-hhjh), the release notes for v5.3.4, and the patching commit (4e387f61c4a5cef792f6a2f42467013290bf95dc). Security practitioners should audit dependencies and apply the update promptly for affected Node.js or browser-based applications.
Details
- CWE(s)