Skip to content

chore(deps): Update dependency fast-xml-parser to v5.3.4 [SECURITY] (next)#4855

Open
renovate[bot] wants to merge 1 commit intonextfrom
renovate/next-npm-fast-xml-parser-vulnerability
Open

chore(deps): Update dependency fast-xml-parser to v5.3.4 [SECURITY] (next)#4855
renovate[bot] wants to merge 1 commit intonextfrom
renovate/next-npm-fast-xml-parser-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 31, 2026

This PR contains the following updates:

Package Change Age Confidence
fast-xml-parser 5.2.55.3.4 age confidence

GitHub Vulnerability Alerts

CVE-2026-25128

Summary

A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., &#​9999999; or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.

Details

The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:

"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) },
"num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },

The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:

  • [0-9]{1,7} matches up to 9,999,999
  • [0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)

The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:

val = val.replace(entity.regex, entity.val);

This causes the RangeError to propagate uncaught, crashing the parser and any application using it.

PoC

Setup

Create a directory with these files:

poc/
├── package.json
├── server.js

package.json

{ "dependencies": { "fast-xml-parser": "^5.3.3" } }

server.js

const http = require('http');
const { XMLParser } = require('fast-xml-parser');

const parser = new XMLParser({ processEntities: true, htmlEntities: true });

http.createServer((req, res) => {
  if (req.method === 'POST' && req.url === '/parse') {
    let body = '';
    req.on('data', c => body += c);
    req.on('end', () => {
      const result = parser.parse(body);  // No try-catch - will crash!
      res.end(JSON.stringify(result));
    });
  } else {
    res.end('POST /parse with XML body');
  }
}).listen(3000, () => console.log('http://localhost:3000'));

Run

# Setup
npm install

# Terminal 1: Start server
node server.js

# Terminal 2: Send malicious payload (server will crash)
curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>&#&#8203;9999999;</root>' http://localhost:3000/parse

Result

Server crashes with:

RangeError: Invalid code point 9999999

Alternative Payloads

<!-- Hex variant -->
<?xml version="1.0"?><root>&#xFFFFFF;</root>

<!-- In attribute -->
<?xml version="1.0"?><root attr="&#&#8203;9999999;"/>

Impact

Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:

  • API servers accepting XML payloads
  • File processors parsing uploaded XML files
  • Message queues consuming XML messages
  • RSS/Atom feed parsers
  • SOAP/XML-RPC services

A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.3.4: fix: handle HTML numeric and hex entities when out of range

Compare Source

v5.3.3: bug fix and performance improvements

Compare Source

  • fix #​775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
  • Performance improvement for stopNodes (By Maciek Lamberski)

v5.3.2

Compare Source

v5.3.1

Compare Source

v5.3.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@coderabbitai
Copy link

coderabbitai bot commented Jan 31, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@cypress
Copy link

cypress bot commented Jan 31, 2026

next-core    Run #11928

Run Properties:  status check passed Passed #11928  •  git commit 03243d59d7 ℹ️: Merge fffe855d67ae3f589378f36dec5835592dc78954 into f3386823e092033445871a2d5f7a...
Project next-core
Branch Review renovate/next-npm-fast-xml-parser-vulnerability
Run status status check passed Passed #11928
Run duration 00m 25s
Commit git commit 03243d59d7 ℹ️: Merge fffe855d67ae3f589378f36dec5835592dc78954 into f3386823e092033445871a2d5f7a...
Committer renovate[bot]
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 17
View all changes introduced in this branch ↗︎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@weareoutman weareoutman

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weareoutman