CVE-2026-33349

Exploit

EPSS 0.45%
Veröffentlicht 24.03.2026 19:35:47
Zuletzt bearbeitet 26.03.2026 13:01:52
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 9 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Naturalintelligence ≫ Fast-xml-parser Version >= 4.0.1 < 4.5.5

Naturalintelligence ≫ Fast-xml-parser Version >= 5.0.0 < 5.5.7

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Update-

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta3

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta4

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta5

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta6

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta7

Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta8

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.356

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1284 Improper Validation of Specified Quantity in Input

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g

Vendor Advisory

Exploit

Mitigation

https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33349

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33349

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33349

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33349