CVE-2026-33349
Received Received - Intake
Unrestricted XML Entity Expansion in fast-xml-parser Causes DoS

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 β€” intending to disallow all entities or restrict entity size to zero bytes β€” the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33349
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser 4.0.0
naturalintelligence fast-xml-parser From 4.0.1 (inc) to 4.5.5 (exc)
naturalintelligence fast-xml-parser From 5.0.0 (inc) to 5.5.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in fast-xml-parser versions from 4.0.0-beta.3 to before 5.5.7. It involves the DocTypeReader component, which uses JavaScript truthy checks to enforce limits on maxEntityCount and maxEntitySize. If a developer sets these limits to 0 to disallow entities or restrict their size, the JavaScript falsy evaluation causes these limits to be bypassed entirely.

As a result, an attacker who can supply XML input to an application using these versions can trigger unbounded entity expansion. This leads to memory exhaustion and causes a denial of service condition.

This issue was fixed in version 5.5.7 of fast-xml-parser.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on your application. Specifically, by sending crafted XML input, the attacker can trigger unbounded entity expansion, which exhausts memory resources.

The denial of service can make your application unavailable or unstable, potentially disrupting normal operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the fast-xml-parser package to version 5.5.7 or later, where the issue has been patched.

Avoid setting maxEntityCount or maxEntitySize configuration limits to 0, as this bypasses the intended protections against unbounded entity expansion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart