CVE-2026-33036 in fast-xml-parser
Summary
by MITRE • 03/20/2026
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33036 affects the fast-xml-parser library, a popular JavaScript XML processing tool that enables developers to parse XML documents directly into JavaScript objects without requiring native C/C++ dependencies or callback mechanisms. This library has become widely adopted in Node.js applications due to its performance characteristics and ease of use in handling XML data structures. The vulnerability specifically targets versions 4.0.0-beta.3 through 5.5.5, where a critical bypass flaw exists in the entity expansion handling mechanism that undermines previously implemented security controls designed to prevent denial of service attacks.
The technical flaw stems from a design inconsistency in the OrderedObjParser.js file where the replaceEntitiesValue() function implements entity expansion counting only for entities defined within the DOCTYPE declaration. This selective enforcement creates a bypass pathway where numeric character references such as A and A along with standard XML entities like < and & are processed without any expansion limits being applied. The vulnerability manifests through the lastEntities loop which handles these numeric and standard entities without implementing any counting mechanism, allowing unlimited expansion regardless of the configured maxTotalExpansions or maxExpandedLength parameters that were intended to protect against excessive resource consumption.
The operational impact of this vulnerability is severe and can result in significant resource exhaustion leading to system instability or complete process crashes. An attacker can exploit this vulnerability by crafting malicious XML payloads containing 1 million numeric entity references such as A which can force approximately 147MB of memory allocation and substantial CPU usage. This represents a critical denial of service condition where legitimate applications become unavailable due to resource exhaustion, even when developers have properly configured strict limits to prevent such attacks. The vulnerability effectively neutralizes the security controls implemented to address CVE-2026-26278, creating a persistent threat vector that can be exploited across various application contexts where XML parsing is performed.
This vulnerability aligns with CWE-400, which addresses unchecked resource consumption, and represents a specific instance of improper input validation where entity expansion limits are bypassed through flawed implementation logic. The attack pattern corresponds to the ATT&CK technique T1499.004, specifically targeting resource consumption via XML external entity processing, which is commonly exploited in server-side request forgery and denial of service scenarios. The fix implemented in version 5.5.6 addresses this by ensuring consistent entity expansion counting across all entity types, including numeric character references and standard XML entities, thereby restoring the intended security controls and preventing unlimited expansion regardless of entity type. Organizations utilizing fast-xml-parser should immediately upgrade to version 5.5.6 or later to mitigate this vulnerability and protect against potential exploitation that could lead to service disruption and system instability.