{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-30T15:14:58Z",
  "bugzilla" : {
    "description" : "fast-xml-parser: fast-xml-parser has RangeError DoS Numeric Entities Bug",
    "id" : "2435497",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2435497"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-248",
  "details" : [ "fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.", "A denial of service flaw has been discovered in the fast-xml-parser npm library. In fast-xml-parser, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input." ],
  "statement" : "The availability impact of this flaw is limited to the application which bundles the fast-xml-parser library. Red Hat host systems are not at risk of availability impact.",
  "affected_release" : [ {
    "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.8",
    "release_date" : "2026-04-08T00:00:00Z",
    "advisory" : "RHSA-2026:7110",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.8::el8",
    "package" : "advanced-cluster-security/rhacs-main-rhel8:1775594119"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security for Kubernetes 4.9",
    "release_date" : "2026-04-08T00:00:00Z",
    "advisory" : "RHSA-2026:7128",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.9::el8",
    "package" : "advanced-cluster-security/rhacs-main-rhel8:1775594284"
  } ],
  "package_state" : [ {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Affected",
    "package_name" : "mta/mta-ui-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-central-db-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-rhel8-operator",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-scanner-v4-db-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-scanner-v4-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Will not fix",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Affected",
    "package_name" : "odf4/mcg-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Affected",
    "package_name" : "odf4/ocs-client-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Affected",
    "package_name" : "odf4/odf-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Not affected",
    "package_name" : "odf4/odf-multicluster-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Not affected",
    "package_name" : "openshift-gitops-1/gitops-operator-bundle",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "container-native-virtualization/kubevirt-console-plugin",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "container-native-virtualization/kubevirt-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "satellite/iop-host-inventory-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "satellite/iop-vulnerability-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-25128\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25128\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc\nhttps://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh" ],
  "name" : "CVE-2026-25128",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}