CVE-2026-33349

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7	Patch
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g	Exploit Mitigation Vendor Advisory
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:naturalintelligence:fast-xml-parser::::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser::::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8::::::

History

No history.

Information

Published : 2026-03-24 20:16

Updated : 2026-03-26 13:01

NVD link : CVE-2026-33349

Mitre link : CVE-2026-33349

CVE.ORG link : CVE-2026-33349

JSON object : View

Products Affected

naturalintelligence

fast-xml-parser

CWE

CWE-1284

Improper Validation of Specified Quantity in Input

{"id": "CVE-2026-33349", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2026-03-24T20:16:29.407", "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1284"}]}], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 \u2014 intending to disallow all entities or restrict entity size to zero bytes \u2014 the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7."}, {"lang": "es", "value": "fast-xml-parser permite a los usuarios procesar XML desde un objeto JS sin bibliotecas basadas en C/C++ o callbacks. Desde la versi\u00f3n 4.0.0-beta.3 hasta antes de la versi\u00f3n 5.5.7, el DocTypeReader en fast-xml-parser utiliza comprobaciones de veracidad (truthy checks) de JavaScript para evaluar los l\u00edmites de configuraci\u00f3n maxEntityCount y maxEntitySize. Cuando un desarrollador establece expl\u00edcitamente cualquiera de los l\u00edmites en 0 \u2014con la intenci\u00f3n de no permitir ninguna entidad o restringir el tama\u00f1o de la entidad a cero bytes\u2014 la naturaleza 'falsy' de 0 en JavaScript hace que las condiciones de guardia se cortocircuiten, omitiendo completamente los l\u00edmites. Un atacante que pueda proporcionar entrada XML a dicha aplicaci\u00f3n puede desencadenar una expansi\u00f3n de entidad ilimitada, lo que lleva al agotamiento de la memoria y a la denegaci\u00f3n de servicio. Este problema ha sido parcheado en la versi\u00f3n 5.5.7."}], "lastModified": "2026-03-26T13:01:52.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A781B124-CD04-4153-A726-B3A19A51DA7D", "versionEndExcluding": "4.5.5", "versionStartIncluding": "4.0.1"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6A6A49B-279E-44B2-9936-F04662193F43", "versionEndExcluding": "5.5.7", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098"}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}