CVE-2026-27942
Received Received - Intake
Stack Overflow in fast-xml-parser XML Builder with preserveOrder

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27942
EUVD
EUVD-2026-8811
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
naturalintelligence fast-xml-parser to 4.5.4 (exc)
naturalintelligence fast-xml-parser From 5.0.0 (inc) to 5.3.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27942 is a vulnerability in the fast-xml-parser library's XML builder component when the option `preserveOrder` is set to true. The issue occurs because the internal function `arrToStr` incorrectly assumes that certain input values are always arrays. When a non-array value, such as a string, is passed, the function recursively processes each character of the string, causing infinite recursion and ultimately a stack overflow that crashes the application."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 5.3.8 by adding a check to determine if the input is an array. If it is not, the input is treated as text content rather than recursively processed. This prevents the stack overflow and ensures the XML builder can safely handle non-array child values when `preserveOrder` is true.'}] [1, 2, 3]

Impact Analysis

This vulnerability can cause applications using fast-xml-parser with the XML builder and `preserveOrder:true` to crash due to a stack overflow. This results in a denial-of-service condition where the application becomes unresponsive or terminates unexpectedly when processing certain XML inputs.

The impact is limited to application stability and availability, as the crash interrupts normal operation. There is no indication of data corruption or unauthorized access from this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as an application crash due to a stack overflow when using the fast-xml-parser XML builder with the option `preserveOrder:true` on certain inputs. Detection involves checking if your application uses fast-xml-parser versions up to 5.3.6 with `preserveOrder:true` enabled in XML building.

You can detect the vulnerability by verifying the fast-xml-parser version in your environment and testing XML building with `preserveOrder:true` using inputs that include non-array child values, such as strings.

Suggested commands include:

  • Check the installed fast-xml-parser version (for example, in a Node.js project): `npm list fast-xml-parser`
  • Run a test script that builds XML with `preserveOrder:true` and input containing non-array child values to see if a stack overflow or crash occurs.
  • Monitor application logs for stack overflow errors or crashes related to XML building.
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the fast-xml-parser library to version 5.3.8 or later, where the issue is fixed.

As a workaround, you can set the XML builder option `preserveOrder` to false to avoid triggering the vulnerable code path.

Additionally, validate input data before passing it to the XML builder to ensure that child values are arrays when `preserveOrder:true` is used.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart