CVE-2026-33349
Received Received - Intake
Unrestricted XML Entity Expansion in fast-xml-parser Causes DoS

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 β€” intending to disallow all entities or restrict entity size to zero bytes β€” the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33349
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser From 4.0.1 (inc) to 4.5.5 (exc)
naturalintelligence fast-xml-parser From 5.0.0 (inc) to 5.5.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in fast-xml-parser versions from 4.0.0-beta.3 to before 5.5.7. It involves the DocTypeReader component, which uses JavaScript truthy checks to enforce limits on maxEntityCount and maxEntitySize. If a developer sets these limits to 0 to disallow entities or restrict their size, the JavaScript falsy evaluation causes these limits to be bypassed entirely.

As a result, an attacker who can supply XML input to an application using these versions can trigger unbounded entity expansion. This leads to memory exhaustion and causes a denial of service condition.

This issue was fixed in version 5.5.7 of fast-xml-parser.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your application. Specifically, by sending crafted XML input, the attacker can trigger unbounded entity expansion, which exhausts memory resources.

The denial of service can make your application unavailable or unstable, potentially disrupting normal operations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade the fast-xml-parser package to version 5.5.7 or later, where the issue has been patched.

Avoid setting maxEntityCount or maxEntitySize configuration limits to 0, as this bypasses the intended protections against unbounded entity expansion.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart