npm vulnerability intelligence

fast-xml-parser NPM Package
Vulnerability Check

Validate XML, Parse XML, Build XML without C/C++ based libraries

Critical MIT v5.8.0
Vulnerability Analysis OSV Live

fast-xml-parser

v5.8.0 · MIT · 87,606,262 dl/wk

Advisory Breakdown

Critical 1
High 5
Moderate 3
Low 2

Severity Rating

Critical

11 advisories

Critical

Weekly downloads

87,606,262

Total advisories

11

Latest version

5.8.0

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

11
GHSA-37qj-frw5-hhjh CVE-2026-25128 high

fast-xml-parser has RangeError DoS Numeric Entities Bug

Affected: >=5.0.9 <5.3.4 Fixed in: 5.3.4 Updated Feb 11, 2026
View source
GHSA-6w63-h3fj-q4vw CVE-2023-34104 high

fast-xml-parser vulnerable to Regex Injection via Doctype Entities

Affected: >=4.1.3 <4.2.4 Fixed in: 4.2.4 Updated Mar 9, 2026
View source
GHSA-8gc5-j5rx-235r CVE-2026-33036 high

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Affected: >=5.0.0 <5.5.6, >=4.0.0-beta.3 <4.5.5 Fixed in: 5.5.6, 4.5.5 Updated Mar 25, 2026
View source
GHSA-fj3w-jwp8-x2g3 CVE-2026-27942 low

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Affected: >=5.0.0 <5.3.8, >=4.0.0-beta.0 <4.5.4 Fixed in: 5.3.8, 4.5.4 Updated Mar 6, 2026
View source
GHSA-gh4j-gqv2-49f6 CVE-2026-41650 moderate

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

Affected: >=0 <5.7.0 Fixed in: 5.7.0 Updated May 8, 2026
View source
GHSA-gpv5-7x3g-ghjv low

fast-xml-parser regex vulnerability patch could be improved from a safety perspective

Affected: >=4.2.4 <4.2.5 Fixed in: 4.2.5 Updated Jun 15, 2023
View source
GHSA-jmr7-xgp7-cmfj CVE-2026-26278 high

fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)

Affected: >=4.1.3 <4.5.4, >=5.0.0 <5.3.6 Fixed in: 4.5.4, 5.3.6 Updated Feb 28, 2026
View source
GHSA-jp2q-39xq-3w4g CVE-2026-33349 moderate

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Affected: >=4.0.0-beta.3 <4.5.5, >=5.0.0 <5.5.7 Fixed in: 4.5.5, 5.5.7 Updated Apr 8, 2026
View source
GHSA-m7jm-9gc2-mpf2 CVE-2026-25896 critical

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Affected: >=5.0.0 <5.3.5, >=4.1.3 <4.5.4 Fixed in: 5.3.5, 4.5.4 Updated Feb 28, 2026
View source
GHSA-mpg4-rc92-vx8v CVE-2024-41818 high

fast-xml-parser vulnerable to ReDOS at currency parsing

Affected: >=4.3.5 <4.4.1 Fixed in: 4.4.1 Updated Feb 4, 2026
View source
GHSA-x3cc-x39p-42qx CVE-2023-26920 moderate

fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name

Affected: >=0 <4.1.2 Fixed in: 4.1.2 Updated Mar 16, 2026
View source

Checked Jun 14, 2026, 10:37 PM from npm and OSV.dev

Package metadata

From the npm registry

Package name
fast-xml-parser
Ecosystem
npm
Latest version
5.8.0
License
MIT
Weekly downloads
87,606,262
Repository
Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows
Login attempts
API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/14/2026, 10:37:48 PM