A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.
The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:
"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) },
"num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },
The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:
[0-9]{1,7} matches up to 9,999,999[0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:
val = val.replace(entity.regex, entity.val);
This causes the RangeError to propagate uncaught, crashing the parser and any application using it.
Create a directory with these files:
poc/
├── package.json
├── server.js
package.json
{ "dependencies": { "fast-xml-parser": "^5.3.3" } }
server.js
const http = require('http');
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: true, htmlEntities: true });
http.createServer((req, res) => {
if (req.method === 'POST' && req.url === '/parse') {
let body = '';
req.on('data', c => body += c);
req.on('end', () => {
const result = parser.parse(body); // No try-catch - will crash!
res.end(JSON.stringify(result));
});
} else {
res.end('POST /parse with XML body');
}
}).listen(3000, () => console.log('http://localhost:3000'));
# Setup
npm...
5.3.4Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H