CVE-2026-25128

medium

Red Hat

CVSS v3 Base Score

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Published: January 30, 2026

Last Modified: January 30, 2026

Vendor: Red Hat

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `&#9999999;` or `&#xFFFFFF;`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

CWE

CWE-248

Affected Products

Migration Toolkit for Applications 8Red Hat Advanced Cluster Security 4Red Hat Developer HubRed Hat Openshift Data Foundation 4Red Hat OpenShift GitOpsRed Hat OpenShift Virtualization 4Red Hat Satellite 6Self-service automation portal 2

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 github.com 🔗 github.com

CVE-2026-25128

Vulnerability Report

Description

CWE

Affected Products

References