CVE-2026-33349
March 24, 2026
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Affected Packages
fast-xml-parser (NPM):
Affected version(s) >=4.0.0-beta.3 <5.5.7Fix Suggestion:
Update to version 5.5.7fast-xml-parser (NPM):
Affected version(s) >=4.0.0-beta.3 <5.5.7Fix Suggestion:
Update to version 5.5.7fast-xml-parser (NPM):
Affected version(s) >=4.0.0-beta.3 <5.5.7Fix Suggestion:
Update to version 5.5.7fast-xml-parser (NPM):
Affected version(s) >=4.0.0-beta.3 <5.5.7Fix Suggestion:
Update to version 5.5.7fast-xml-parser (NPM):
Affected version(s) >=4.0.0-beta.3 <5.5.7Fix Suggestion:
Update to version 5.5.7Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Validation of Specified Quantity in Input
EPSS
Base Score:
0.02
