react-native-0.74.1.tgz: 6 vulnerabilities (highest severity is: 9.3) #173
Description
Vulnerable Library - react-native-0.74.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (react-native version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-25896 |  Critical |
9.3 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-33036 |  High |
7.5 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-26278 | High |
7.5 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-25128 | High |
7.5 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-33349 |  Medium |
5.9 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
| CVE-2026-27942 | Medium |
5.3 | fast-xml-parser-4.5.0.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-25896
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-02-20
URL: CVE-2026-25896
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-20
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.5
Step up your Open Source Security Game with Mend here
CVE-2026-33036
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-03-20
URL: CVE-2026-33036
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8gc5-j5rx-235r
Release Date: 2026-03-18
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.5.6
Step up your Open Source Security Game with Mend here
CVE-2026-26278
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by "processEntities: false" option.
Publish Date: 2026-02-19
URL: CVE-2026-26278
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jmr7-xgp7-cmfj
Release Date: 2026-02-17
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.6
Step up your Open Source Security Game with Mend here
CVE-2026-25128
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., "�" or "�"). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue.
Publish Date: 2026-01-30
URL: CVE-2026-25128
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-30
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.4
Step up your Open Source Security Game with Mend here
CVE-2026-33349
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Publish Date: 2026-03-24
URL: CVE-2026-33349
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jp2q-39xq-3w4g
Release Date: 2026-03-19
Fix Resolution: fast-xml-parser - 5.5.7
Step up your Open Source Security Game with Mend here
CVE-2026-27942
Vulnerable Library - fast-xml-parser-4.5.0.tgz
Validate XML, Parse XML, Build XML without C/C++ based libraries
Library home page: https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.5.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- react-native-0.74.1.tgz (Root Library)
- cli-platform-android-13.6.6.tgz
- ❌ fast-xml-parser-4.5.0.tgz (Vulnerable Library)
- cli-platform-android-13.6.6.tgz
Found in HEAD commit: 55eb40c7c46a260d8a90f5aa61bb37706f00eb13
Found in base branch: main
Vulnerability Details
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with "preserveOrder:true". Version 5.3.8 fixes the issue. As a workaround, use XML builder with "preserveOrder:false" or check the input data before passing to builder.
Publish Date: 2026-02-26
URL: CVE-2026-27942
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-26
Fix Resolution: https://github.com/NaturalIntelligence/fast-xml-parser.git - v5.3.8,fast-xml-parser - 5.3.8
Step up your Open Source Security Game with Mend here