CVE-2026-26278
Received Received - Intake
XML Entity Expansion Vulnerability in fast-xml-parser Causes Denial of Service

Publication date: 2026-02-19

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-23
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26278
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
naturalintelligence fast-xml-parser From 4.1.3 (inc) to 5.3.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade fast-xml-parser to version 5.3.6 or later, where the issue is fixed.

As a workaround, avoid using DOCTYPE parsing by setting the option `processEntities: false` in your XML parser configuration.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Can you explain this vulnerability to me?

The vulnerability exists in the fast-xml-parser library versions 4.1.3 through 5.3.5. It allows an attacker to force the XML parser to perform an unlimited amount of entity expansion. This means that with a very small XML input, the parser can be made to spend an excessive amount of time processing a single request, potentially freezing the application.

This happens because the parser does not properly limit entity expansion, leading to a denial of service condition. The issue is fixed in version 5.3.6, and a workaround is to disable DOCTYPE parsing by setting the option `processEntities: false`.


How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial of service (DoS) condition. An attacker can send a specially crafted XML input that forces the parser to perform excessive entity expansions, causing the application to freeze or become unresponsive for seconds or even minutes.

This can lead to service outages, degraded performance, and potentially impact availability of your application or service that uses the fast-xml-parser library.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart