Executive Summary

CVE-2026-33036 is a vulnerability in the fast-xml-parser library (versions 4.0.0-beta.3 through 5.5.5) that allows attackers to bypass configured XML entity expansion limits. The parser enforces limits on entity expansions defined in the DOCTYPE section of XML documents to prevent denial of service (DoS) attacks. However, numeric character references (like &#NNN; and &#xHH;) and standard XML entities are processed separately without any expansion counting or limits.

Because of this, an attacker can craft XML input containing very large numbers of numeric entity references that bypass these protections, causing excessive memory allocation and CPU usage. For example, 1 million numeric entity references can consume about 147 MB of memory and cause heavy CPU load, potentially crashing the process.

The root cause is that the function handling numeric and standard entities does not track or limit expansions, unlike the function handling DOCTYPE entities. This incomplete fix of a previous vulnerability (CVE-2026-26278) allows denial of service via XML entity expansion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service (DoS) attack against applications using the affected versions of fast-xml-parser. An attacker can supply XML input with a large number of numeric entity references that bypass configured expansion limits, causing the parser to consume excessive memory and CPU resources.

The impact includes high memory consumption (e.g., ~147 MB for 1 million numeric entities), heavy CPU usage during entity replacement, and potential process crashes due to out-of-memory conditions. This can make the application unresponsive or unavailable.

Developers may mistakenly believe their configured entity expansion limits protect against such attacks, but numeric entities bypass these protections silently, increasing the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU and memory usage during XML parsing operations involving the fast-xml-parser library, especially when processing XML inputs containing large numbers of numeric character references (e.g., A).

A practical detection method is to test the XML parser with crafted XML inputs containing many numeric entity references to see if the parser exceeds configured entity expansion limits or crashes.

For example, you can run a test script or command that parses XML with a large number of numeric entities (e.g., 100,000 or 1 million A references) and observe resource consumption or errors.

• Use monitoring tools like top, htop, or task manager to observe CPU and memory spikes during XML parsing.
• Run a test with XML input containing many numeric entities, such as a file with repeated A numeric references, and parse it using fast-xml-parser to check for crashes or excessive resource use.
• Check logs or error messages for entity expansion limit exceeded errors if the parser has been updated to enforce limits.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the fast-xml-parser library to version 5.5.6 or later, where this vulnerability has been fixed by enforcing entity expansion limits on numeric and standard XML entities.

As a temporary workaround before upgrading, you can disable processing of HTML entities by setting the parser option htmlEntities to false, which mitigates the issue by preventing expansion of these entities.

Additionally, ensure that your XML inputs are validated and sanitized to avoid processing untrusted or malicious XML content containing excessive numeric entity references.

Useful 0 Not Useful 0