CVE-2026-27942
Stack Overflow in fast-xml-parser XML Builder with preserveOrder
Publication date: 2026-02-26
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| naturalintelligence | fast-xml-parser | to 4.5.4 (exc) |
| naturalintelligence | fast-xml-parser | From 5.0.0 (inc) to 5.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27942 is a vulnerability in the fast-xml-parser library's XML builder component when the option `preserveOrder` is set to true. The issue occurs because the internal function `arrToStr` incorrectly assumes that certain input values are always arrays. When a non-array value, such as a string, is passed, the function recursively processes each character of the string, causing infinite recursion and ultimately a stack overflow that crashes the application."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 5.3.8 by adding a check to determine if the input is an array. If it is not, the input is treated as text content rather than recursively processed. This prevents the stack overflow and ensures the XML builder can safely handle non-array child values when `preserveOrder` is true.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause applications using fast-xml-parser with the XML builder and `preserveOrder:true` to crash due to a stack overflow. This results in a denial-of-service condition where the application becomes unresponsive or terminates unexpectedly when processing certain XML inputs.
The impact is limited to application stability and availability, as the crash interrupts normal operation. There is no indication of data corruption or unauthorized access from this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as an application crash due to a stack overflow when using the fast-xml-parser XML builder with the option `preserveOrder:true` on certain inputs. Detection involves checking if your application uses fast-xml-parser versions up to 5.3.6 with `preserveOrder:true` enabled in XML building.
You can detect the vulnerability by verifying the fast-xml-parser version in your environment and testing XML building with `preserveOrder:true` using inputs that include non-array child values, such as strings.
Suggested commands include:
- Check the installed fast-xml-parser version (for example, in a Node.js project): `npm list fast-xml-parser`
- Run a test script that builds XML with `preserveOrder:true` and input containing non-array child values to see if a stack overflow or crash occurs.
- Monitor application logs for stack overflow errors or crashes related to XML building.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the fast-xml-parser library to version 5.3.8 or later, where the issue is fixed.
As a workaround, you can set the XML builder option `preserveOrder` to false to avoid triggering the vulnerable code path.
Additionally, validate input data before passing it to the XML builder to ensure that child values are arrays when `preserveOrder:true` is used.