Severity
7.5
High severity
Details
- CVSS score
- 7.5
- CVSS vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Overview
About vulnerability
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g.,� or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Details
- Affected product:
- Node.js , React , astro , b4a , babel-preset-expo , bare-fs , bare-stream , bottom-tabs , cli , db0 , devtools , drawer , drizzle-orm , expo , expo-asset , expo-constants , expo-file-system , expo-image , expo-linking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , fast-xml-parser , masked-view , metro-runtime , native-stack , nitro , nuxt , op-sqlite , platform-ios , sharp , streamx , tar-fs , tar-stream , teex , text-decoder , unstorage , vector-icons , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector
- Affected packages:
- fast-xml-parser (+242 more)
� or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.