5.9
CVE-2026-33349
- EPSS 0.03%
- Veröffentlicht 24.03.2026 19:35:47
- Zuletzt bearbeitet 26.03.2026 13:01:52
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Naturalintelligence ≫ Fast-xml-parser Version >= 4.0.1 < 4.5.5
Naturalintelligence ≫ Fast-xml-parser Version >= 5.0.0 < 5.5.7
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Update-
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta3
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta4
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta5
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta6
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta7
Naturalintelligence ≫ Fast-xml-parser Version4.0.0 Updatebeta8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.088 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-1284 Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.