CVE-2026-25128

NameCVE-2026-25128
Descriptionfast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-webfont (PTS)bookworm11.4.0+dfsg2+~cs35.7.26-7fixed
trixie11.4.0+dfsg2+~cs35.7.26-13fixed
forky11.4.0+dfsg2+~cs35.7.26-16fixed
sid11.4.0+dfsg2+~cs35.7.26-18fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-webfontsource(unstable)(not affected)

Notes

- node-webfont <not-affected> (Vulnerable code not present)
Introduced after: https://github.com/NaturalIntelligence/fast-xml-parser/commit/391f24fd954aee9452e3228b87362a3424e7b624 (v4.3.6)
Fixed by: https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc (v5.3.4)
node-webfont provides node-fast-xml-parser
Search for package or bug name: Reporting problems