CVE-2026-33349

EUVD-2026-14016
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
naturalintelligencefast-xml-parser
4.0.1 ≤
𝑥
< 4.5.5
naturalintelligencefast-xml-parser
5.0.0 ≤
𝑥
< 5.5.7
naturalintelligencefast-xml-parser
4.0.0
naturalintelligencefast-xml-parser
4.0.0:beta3
naturalintelligencefast-xml-parser
4.0.0:beta4
naturalintelligencefast-xml-parser
4.0.0:beta5
naturalintelligencefast-xml-parser
4.0.0:beta6
naturalintelligencefast-xml-parser
4.0.0:beta7
naturalintelligencefast-xml-parser
4.0.0:beta8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g