FKIE_CVE-2026-33036

Vulnerability from fkie_nvd - Published: 2026-03-20 06:16 - Updated: 2026-03-23 16:28
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
References
security-advisories@github.comhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01Patch
security-advisories@github.comhttps://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6Product, Release Notes
security-advisories@github.comhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235rExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
naturalintelligence fast-xml-parser *
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB9177BC-BACD-4367-9063-398ACE2AB4A7",
              "versionEndExcluding": "5.5.6",
              "versionStartIncluding": "4.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*",
              "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*",
              "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*",
              "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*",
              "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."
    },
    {
      "lang": "es",
      "value": "fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres num\u00e9ricos (\u0026amp;#NNN;, \u0026amp;#xHH;) y las entidades XML est\u00e1ndar evaden completamente los l\u00edmites de expansi\u00f3n de entidades (p. ej., maxTotalExpansions, maxExpandedLength) a\u00f1adidos para corregir CVE-2026-26278, lo que permite la denegaci\u00f3n de servicio por expansi\u00f3n de entidades XML. La causa ra\u00edz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansi\u00f3n en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades num\u00e9ricas/est\u00e1ndar no realiza ning\u00fan conteo. Un atacante que suministre 1M de referencias de entidades num\u00e9ricas como A puede forzar una asignaci\u00f3n de memoria de ~147MB y un uso intensivo de CPU, lo que podr\u00eda bloquear el proceso, incluso cuando los desarrolladores han configurado l\u00edmites estrictos. Este problema ha sido corregido en la versi\u00f3n 5.5.6."
    }
  ],
  "id": "CVE-2026-33036",
  "lastModified": "2026-03-23T16:28:10.930",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T06:16:11.630",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-776"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.