CVE-2026-33349

Published Mar 24, 2026

Last updated a month ago

CVSS medium 5.9

Overview

Description: fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Source: security-advisories@github.com
NVD status: Analyzed
Products: fast-xml-parser

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.9
Impact score: 3.6
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-1284

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "A781B124-CD04-4153-A726-B3A19A51DA7D",
            "versionEndExcluding": "4.5.5",
            "versionStartIncluding": "4.0.1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "E6A6A49B-279E-44B2-9936-F04662193F43",
            "versionEndExcluding": "5.5.7",
            "versionStartIncluding": "5.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*",
            "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*",
            "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*",
            "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*",
            "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*",
            "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*",
            "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*",
            "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References