react-native-0.74.1.tgz: 6 vulnerabilities (highest severity is: 9.3) #173
Description
Vulnerable Library - react-native-0.74.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (react-native version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-25896 |  Critical |
9.3 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-33036 |  High |
7.5 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-26278 | High |
7.5 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-25128 | High |
7.5 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-33349 |  Medium |
5.9 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-27942 | Medium |
5.3 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-25896
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-25896
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-20
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.5
Step up your Open Source Security Game with Mend here
CVE-2026-33036
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-03-20
URL: CVE-2026-33036
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8gc5-j5rx-235r
Release Date: 2026-03-18
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.5.6
Step up your Open Source Security Game with Mend here
CVE-2026-26278
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by "processEntities: false" option.
Publish Date: 2026-02-19
URL: CVE-2026-26278
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jmr7-xgp7-cmfj
Release Date: 2026-02-17
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.6
Step up your Open Source Security Game with Mend here
CVE-2026-25128
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., "�" or "�"). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Publish Date: 2026-01-30
URL: CVE-2026-25128
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-30
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.4
Step up your Open Source Security Game with Mend here
CVE-2026-33349
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
Summary The "DocTypeReader" in fast-xml-parser uses JavaScript truthy checks to evaluate "maxEntityCount" and "maxEntitySize" configuration limits. When a developer explicitly sets either limit to "0" — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of "0" in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. Details The "OptionsBuilder.js" correctly preserves a user-supplied value of "0" using nullish coalescing ("??"): // src/xmlparser/OptionsBuilder.js:111 maxEntityCount: value.maxEntityCount ?? 100, // src/xmlparser/OptionsBuilder.js:107 maxEntitySize: value.maxEntitySize ?? 10000, However, "DocTypeReader.js" uses truthy evaluation to check these limits. Because "0" is falsy in JavaScript, the entire guard expression short-circuits to "false", and the limit is never enforced: // src/xmlparser/DocTypeReader.js:30-32 if (this.options.enabled !== false && this.options.maxEntityCount && // ← 0 is falsy, skips check entityCount >= this.options.maxEntityCount) { throw new Error("Entity count ..."); } // src/xmlparser/DocTypeReader.js:128-130 if (this.options.enabled !== false && this.options.maxEntitySize && // ← 0 is falsy, skips check entityValue.length > this.options.maxEntitySize) { throw new Error("Entity "${entityName}" size ..."); } The execution flow is: 1. Developer configures "processEntities: { maxEntityCount: 0, maxEntitySize: 0 }" intending to block all entity definitions. 2. "OptionsBuilder.normalizeProcessEntities" preserves the "0" values via "??" (correct behavior). 3. Attacker supplies XML with a DOCTYPE containing many large entities. 4. "DocTypeReader.readDocType" evaluates "this.options.maxEntityCount && ..." — since "0" is falsy, the entire condition is "false". 5. "DocTypeReader.readEntityExp" evaluates "this.options.maxEntitySize && ..." — same result. 6. All entity count and size limits are bypassed; entities are parsed without restriction. PoC const { XMLParser } = require("fast-xml-parser"); // Developer intends: "no entities allowed at all" const parser = new XMLParser({ processEntities: { enabled: true, maxEntityCount: 0, // should mean "zero entities allowed" maxEntitySize: 0 // should mean "zero-length entities only" } }); // Generate XML with many large entities let entities = ""; for (let i = 0; i < 1000; i++) { entities += ""; } const xml = <?xml version="1.0"?> <!DOCTYPE foo [ ${entities} ]><foo>&e0;</foo>; // This should throw "Entity count exceeds maximum" but does not try { const result = parser.parse(xml); console.log("VULNERABLE: parsed without error, entities bypassed limits"); } catch (e) { console.log("SAFE:", e.message); } // Control test: setting maxEntityCount to 1 correctly blocks const safeParser = new XMLParser({ processEntities: { enabled: true, maxEntityCount: 1, maxEntitySize: 100 } }); try { safeParser.parse(xml); console.log("ERROR: should have thrown"); } catch (e) { console.log("CONTROL:", e.message); // "Entity count (2) exceeds maximum allowed (1)" } Expected output: VULNERABLE: parsed without error, entities bypassed limits CONTROL: Entity count (2) exceeds maximum allowed (1) Impact - Denial of Service: An attacker supplying crafted XML with thousands of large entity definitions can exhaust server memory in applications where the developer configured "maxEntityCount: 0" or "maxEntitySize: 0", intending to prohibit entities entirely. - Security control bypass: Developers who explicitly set restrictive limits to "0" receive no protection — the opposite of their intent. This creates a false sense of security. - Scope: Only applications that explicitly set these limits to "0" are affected. The default configuration ("maxEntityCount: 100", "maxEntitySize: 10000") is not vulnerable. The "enabled: false" option correctly disables entity processing entirely and is not affected. Recommended Fix Replace the truthy checks in "DocTypeReader.js" with explicit type checks that correctly treat "0" as a valid numeric limit: // src/xmlparser/DocTypeReader.js:30-32 — replace: if (this.options.enabled !== false && this.options.maxEntityCount && entityCount >= this.options.maxEntityCount) { // with: if (this.options.enabled !== false && typeof this.options.maxEntityCount === 'number' && entityCount >= this.options.maxEntityCount) { // src/xmlparser/DocTypeReader.js:128-130 — replace: if (this.options.enabled !== false && this.options.maxEntitySize && entityValue.length > this.options.maxEntitySize) { // with: if (this.options.enabled !== false && typeof this.options.maxEntitySize === 'number' && entityValue.length > this.options.maxEntitySize) { Workaround If you don't want to processed the entities, keep the processEntities flag to false instead of setting any limit to 0.
Publish Date: 2026-03-20
URL: CVE-2026-33349
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jp2q-39xq-3w4g
Release Date: 2026-03-19
Fix Resolution: fast-xml-parser - 5.5.7
Step up your Open Source Security Game with Mend here
CVE-2026-27942
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with "preserveOrder:true". Version 5.3.8 fixes the issue. As a workaround, use XML builder with "preserveOrder:false" or check the input data before passing to builder.
Publish Date: 2026-02-26
URL: CVE-2026-27942
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-26
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.8,fast-xml-parser - 5.3.8
Step up your Open Source Security Game with Mend here