fast-xml-parser RangeError Denial-of-Service Vulnerability in Numeric Entity Processing

A denial-of-service vulnerability has been identified in fast-xml-parser versions 4.3.6 through 5.3.3. The issue arises in the numeric entity processing when the parser encounters out-of-range entity code points, such as � or �. This flaw causes the parser to throw an uncaught RangeError exception, leading to a crash of any application that processes untrusted XML input. The vulnerability has been patched in version 5.3.4.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, crashing the Node.js process and disrupting any active services. This impact is particularly significant for API servers, file processors, message queue consumers, and services that parse RSS, Atom, or SOAP/XML-RPC feeds.

Reproduction

The vulnerability can be reproduced by sending an XML payload containing a numeric entity with an out-of-range code point to a server that uses fast-xml-parser. The parser will throw a RangeError, which crashes the server. This can be done using a simple Node.js HTTP server that processes POST requests with XML bodies.

Remediation

Users can upgrade to fast-xml-parser version 5.3.4 or later to address this vulnerability.