GHSA-37qj-frw5-hhjh has incorrect version range

[kroleg]

fromCodePoint (mentioned in vuln description) introduced in: 5b6000a4 — PR #726, changed fromCharCode → fromCodePoint (Feb 26, 2025)

Version before still uses fromCharCode (which i assume is not affected): https://github.com/NaturalIntelligence/fast-xml-parser/blob/v5.0.8/src/xmlparser/OrderedObjParser.js

String.fromCharCode() — wraps silently, no crash possible

So first vulnerable release is actually 5.0.9 https://github.com/NaturalIntelligence/fast-xml-parser/blob/v5.0.9/src/xmlparser/OrderedObjParser.js

[github-actions]

We're glad you find this project helpful. We'll try to address this issue ASAP. You can vist https://solothought.com to know recent features. Don't forget to star this repo.

[kroleg]

reproduction repo https://github.com/kroleg/poc-ghsa-37qj-frw5-hhjh

[amitguptagwl]

Thanks for highlighting that. I completely missed it. Advisory is updated with the correct version range now.