CVE-2026-25128 — Vulnetix

CVE-2026-25128 PUBLISHED CVSS 7.5 HIGH

fast-xml-parser has RangeError DoS Numeric Entities Bug

EPSS 0.07% · 22.6th percentile

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.07%

22.6th percentile

Affected Products

Vendor	Product	Versions
npm	fast-xml-parser	5.0.9, 5.0.9
naturalintelligence	fast-xml-parser	5.0.9, 5.0.9
NaturalIntelligence	fast-xml-parser	>= 5.0.9, <= 5.3.3, >= 5.0.9, <= 5.3.3

Exploit Intelligence

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh (nist-nvd)
CIRCL seen: CVE-2026-25128 (circl-sighting)
CIRCL seen: CVE-2026-25128 (circl-sighting)
CIRCL seen: CVE-2026-25128 (circl-sighting)
CIRCL seen: CVE-2026-25128 (circl-sighting)
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4 (circl)
https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc (circl)
dacpacExtractor.test.ts (github-poc)
dacpacExtractor.test.ts (github-poc)
dacpacExtractor.test.ts (github-poc)

…and 4 more exploits

Timeline

Jan 30, 2026 CVE Published
Jan 30, 2026 PoC Published
Jan 30, 2026 PoC Published
Jan 30, 2026 PoC Published
Jan 31, 2026 EPSS Score
Feb 2, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 7, 2026 EPSS Score
Feb 10, 2026 EPSS Score
Feb 11, 2026 CVE Updated
Feb 12, 2026 EPSS Score
Feb 14, 2026 EPSS Score

References

Open in Interactive Console →

$ Console Community · 100/wk Open console ›