CVE-2026-41673
Stack Overflow in xmldom JavaScript Library
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xmldom | xmldom | to 0.8.13 (exc) |
| xmldom | xmldom | to 0.8.13 (inc) |
| xmldom | xmldom | to 0.9.10 (inc) |
| xmldom | xmldom | From 0.9.0 (inc) to 0.9.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41673 is a denial-of-service vulnerability in the xmldom JavaScript library caused by uncontrolled recursion in seven DOM operations implemented as recursive functions without depth limits.
When processing a sufficiently deeply nested XML document, these recursive functions cause a RangeError due to maximum call stack size exceeded, crashing the application.
The affected operations include Node.prototype.normalize(), XMLSerializer.serializeToString(), Element.getElementsByTagName(), getElementsByTagNameNS(), getElementsByClassName(), getElementById(), Node.cloneNode(true), Document.importNode(node, true), node.textContent (getter), and Node.isEqualNode(other).
The vulnerability arises because these functions use pure JavaScript recursion without limiting the depth, unlike native browser DOM methods which use iterative approaches and handle deep nesting safely.
The issue has been fixed by converting these recursive traversals to iterative implementations using a new walkDOM utility that uses an explicit stack to avoid call stack exhaustion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in xmldom causes a denial-of-service (DoS) condition by crashing applications processing deeply nested XML documents due to stack overflow errors. This can lead to service unavailability or disruption.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the potential for service disruption and application crashes could indirectly impact compliance. For example, if a service handling sensitive personal data protected under GDPR or health information under HIPAA becomes unavailable or unstable due to this vulnerability, it may affect the availability and reliability requirements mandated by these regulations.
Therefore, organizations using affected versions of xmldom in systems processing regulated data should consider this vulnerability a risk to maintaining continuous service availability, which is a component of compliance frameworks.
How can this vulnerability impact me? :
This vulnerability can cause your application or service to crash when processing XML documents with deeply nested structures, due to a stack overflow error (RangeError: Maximum call stack size exceeded).
If your service processes attacker-controlled XML and performs any of the affected DOM operations, an attacker can easily trigger a denial-of-service condition by sending a crafted deeply nested XML document.
The impact can extend beyond a single request if the uncaught exception terminates the entire process, leading to service disruption and downtime.
The severity is rated High with a CVSS score of 8.7, reflecting the potential for widespread service disruption due to the ease of exploitation and significant availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a denial-of-service condition caused by a RangeError (Maximum call stack size exceeded) when processing a sufficiently deeply nested XML document using the xmldom library. Detection involves identifying if your system or network processes XML documents with xmldom versions prior to the patched releases (before 0.9.10, 0.8.13, or 0.6.0).
Since the issue triggers a crash on deeply nested XML input, detection can be done by testing XML processing components with crafted XML documents containing very deep nesting (thousands of levels). Monitoring logs or application crashes for RangeError exceptions related to stack overflow during XML parsing or DOM operations can also indicate exploitation.
No specific commands are provided in the available resources. However, a practical approach is to create a deeply nested XML file (e.g., with 5,000 to 10,000 nested elements) and feed it to your XML processing service or application using xmldom. Observe if the application crashes or throws a RangeError.
Example conceptual command (assuming a Node.js environment using xmldom):
- Generate a deeply nested XML file (e.g., nested.xml) with thousands of nested elements.
- Run a test script that loads and processes this XML using the vulnerable xmldom version.
- Monitor for RangeError exceptions or application crashes.
Note: The resources do not provide explicit detection commands or tools.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the xmldom library to a patched version that addresses this vulnerability.
- Upgrade to xmldom versions 0.9.10 or later, or 0.8.13 or later, depending on your version branch.
- For the unscoped xmldom package, upgrade to a version later than 0.6.0.
These versions include fixes that replace recursive DOM traversal functions with iterative implementations, preventing stack overflow and denial-of-service crashes.
If upgrading immediately is not possible, consider implementing input validation to reject or limit deeply nested XML documents before processing.
Additionally, monitor your application for RangeError exceptions related to stack overflow during XML processing and implement error handling to prevent process termination.