fast-xml-parser has RangeError DoS Numeric Entities Bug

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

输入验证不恰当

fast-xml-parser 安全漏洞

fast-xml-parser是Natural Intelligence开源的一个库。用于在没有基于 C/C++ 的库和回调的情况下，快速验证 XML、解析 XML 和构建 XML。 fast-xml-parser 4.3.6版本至5.3.3版本存在安全漏洞，该漏洞源于处理超出范围的数字实体时存在缺陷，可能导致应用程序崩溃。

N/A

N/A