CVE-2026-25128 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-25128 PUBLISHED CVSS 7.5 HIGH

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

EPSS 0.07% · 22.2th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.07%

22.2th percentile

Affected Products

Vendor	Product	Versions
npm	fast-xml-parser	5.0.9
naturalintelligence	fast-xml-parser	5.0.9
NaturalIntelligence	fast-xml-parser	>= 5.0.9, <= 5.3.3

Timeline

Jan 30, 2026 CVE Published
Jan 30, 2026 PoC Published
Jan 30, 2026 PoC Published
Jan 30, 2026 PoC Published
Jan 31, 2026 EPSS Score
Feb 2, 2026 EPSS Score
Feb 4, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 7, 2026 EPSS Score
Feb 9, 2026 EPSS Score
Feb 11, 2026 CVE Updated
Feb 11, 2026 EPSS Score

References

Open in Interactive Console →