fast-xml-parser

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting fast-xml-parserpage 1 of 1

CVE-2023-26920MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.1.2
2023-12-12
fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution.
CVE-2023-34104HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.4
2023-06-06
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing en…
CVE-2024-41818HIGHCVSS 7.5EG 7.5✓ Fixed in 4.4.1
2024-07-29
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
CVE-2026-25128HIGHCVSS 7.5EG 7.5✓ Fixed in 5.3.4
2026-01-30
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity proce…
CVE-2026-41650MEDIUMCVSS 6.1EG 6.1✓ Fixed in 5.7.0
2026-05-07
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when bu…

Check whether fast-xml-parser is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for fast-xml-parser CVEs against the assets you own.

Start Free Scan →