Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/fast-xml-parser@5.3.3
purl pkg:npm/fast-xml-parser@5.3.3
Next non-vulnerable version 5.7.0
Latest non-vulnerable version 5.7.0
Risk 4.5
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-6xft-reak-puca
Aliases:
CVE-2026-25128
GHSA-37qj-frw5-hhjh
5.3.4
Affected by 6 other vulnerabilities.
VCID-87wh-4hga-bbak
Aliases:
CVE-2026-26278
GHSA-jmr7-xgp7-cmfj
5.3.6
Affected by 4 other vulnerabilities.
VCID-8a1h-q8ck-cfbz
Aliases:
CVE-2026-25896
GHSA-m7jm-9gc2-mpf2
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
5.3.5
Affected by 5 other vulnerabilities.
VCID-9n1q-kn2a-xfca
Aliases:
CVE-2026-33036
GHSA-8gc5-j5rx-235r
5.5.6
Affected by 2 other vulnerabilities.
VCID-c46j-zfbx-eyc1
Aliases:
CVE-2026-33349
GHSA-jp2q-39xq-3w4g
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
5.5.7
Affected by 1 other vulnerability.
VCID-fbce-cxkc-3ube
Aliases:
CVE-2026-41650
GHSA-gh4j-gqv2-49f6
5.7.0
Affected by 0 other vulnerabilities.
VCID-z5yj-54hc-qyb9
Aliases:
CVE-2026-27942
GHSA-fj3w-jwp8-x2g3
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
5.3.8
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T22:12:02.470924+00:00 GitLab Importer Affected by VCID-fbce-cxkc-3ube https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-41650.yml 38.6.0
2026-06-12T21:33:18.491888+00:00 GitLab Importer Affected by VCID-c46j-zfbx-eyc1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-33349.yml 38.6.0
2026-06-12T21:30:53.859592+00:00 GitLab Importer Affected by VCID-9n1q-kn2a-xfca https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-33036.yml 38.6.0
2026-06-12T21:10:47.878027+00:00 GitLab Importer Affected by VCID-z5yj-54hc-qyb9 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-27942.yml 38.6.0
2026-06-12T21:01:51.058738+00:00 GitLab Importer Affected by VCID-8a1h-q8ck-cfbz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-25896.yml 38.6.0
2026-06-12T20:58:30.657646+00:00 GitLab Importer Affected by VCID-87wh-4hga-bbak https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-26278.yml 38.6.0
2026-06-12T20:53:38.179724+00:00 GitLab Importer Affected by VCID-6xft-reak-puca https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-25128.yml 38.6.0
2026-06-11T20:37:43.756875+00:00 GHSA Importer Affected by VCID-6xft-reak-puca https://github.com/advisories/GHSA-37qj-frw5-hhjh 38.6.0