Fast-xml-parser Security Vulnerabilities and Issues — Fast-xml-parser CVE List

NaturalintelligenceFast-xml-parser

9 matches found

CVE•added 2024/07/29 3:56 p.m.•478 views

CVE-2024-41818

Technical details about CVE-2024-41818 are not provided in the connected documents. The initial entry notes a ReDoS in currency.js fixed in 4.4.1. Monitor for updates.

7.5CVSS7.4AI score0.00828EPSS

CVE•added 2023/06/06 5:35 p.m.•184 views

CVE-2023-34104

CVE-2023-34104 is a ReDoS vulnerability in the Natural Intelligence fast-xml-parser used by IBM Cloud Pak for Data (and related IBM products). The flaw arises from unescaped/sanitized special characters in entity names that are used to build a regex for entity replacement in DOCTYPE parsing, enab...

7.5CVSS7.3AI score0.01135EPSS

CVE•added 2026/02/20 8:57 p.m.•58 views

CVE-2026-25896

CVE-2026-25896 affects the Node.js XML parser fast-xml-parser. From 4.1.3 up to (but not including) 5.3.5, a dot in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing shadowing of built-in entities and bypassing encoding, which can lead to XSS when parsed out...

9.3CVSS5.7AI score0.00448EPSS

CVE•added 2026/05/07 1:36 p.m.•49 views

CVE-2026-41650

CVE-2026-41650 affects fast-xml-parser XMLBuilder prior to v5.7.0, where unescaped "-->" in comments and "]]>" in CDATA can lead to XML injection when user-controlled data is built into XML from JavaScript objects. This can enable XSS, SOAP injection, or data manipulation as described in th...

6.1CVSS5.7AI score0.00238EPSS

CVE•added 2026/03/20 5:17 a.m.•37 views

CVE-2026-33036

CVE-2026-33036 concerns the fast-xml-parser library. A bypass vulnerability in versions 4.0.0-beta.3 through 5.5.5 allows numeric character references (&#NNN;, &#xHH;) and standard XML entities to evade entity expansion limits (maxTotalExpansions, maxExpandedLength) intended to fix CVE-2026-26278...

7.5CVSS5.8AI score0.00588EPSS

CVE•added 2026/02/26 1:22 a.m.•34 views

CVE-2026-27942

CVE-2026-27942 affects fast-xml-parser. Before 5.3.8, XMLBuilder with preserveOrder: true can crash with a stack overflow. The issue is fixed in 5.3.8. Workarounds include building XML with preserveOrder: false or validating input data before passing to the builder. Connected sources also referen...

7.5CVSS5.5AI score0.00453EPSS

CVE•added 2026/01/30 3:14 p.m.•31 views

CVE-2026-25128

The CVE-2026-25128 issue affects the fast-xml-parser library (XMLParser) where numeric entity processing can trigger a RangeError when parsing out-of-range code points (e.g., � or �). The vulnerability exists in versions 4.3.6 through 5.3.3 and causes an uncaught exception, crashing applications ...

7.5CVSS5.7AI score0.00559EPSS

CVE•added 2026/02/19 7:40 p.m.•26 views

CVE-2026-26278

CVE-2026-26278 affects the fast-xml-parser library. In versions 4.1.3 through 5.3.5, the XML parser could be forced into unbounded entity expansion, causing a single small XML input to consume seconds/minutes of CPU time and freeze the app. The issue is resolved in version 5.3.6. A workaround is ...

7.5CVSS5.5AI score0.00589EPSS

CVE•added 2026/03/24 7:35 p.m.•17 views

CVE-2026-33349

CVE-2026-33349 affects the fast-xml-parser library. The issue lives in the DocTypeReader for versions 4.0.0-beta.3 through before 5.5.7, where JavaScript truthy checks on maxEntityCount and maxEntitySize cause guard conditions to short‑circuit when 0 is explicitly set, bypassing limits. An attack...

5.9CVSS5.7AI score0.00449EPSS