Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
Published: 2026-02-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

In versions 4.1.3 through 5.3.5, the fast‑xml‑parser library processes XML without limiting entity expansion in a DOCTYPE declaration, allowing a crafted XML document to trigger repetitive entity expansions that consume CPU and memory and can cause the application to stall. This defect results in a denial of service and is categorized as a resource exhaustion flaw (CWE‑776).

Affected Systems

The vulnerability affects NaturalIntelligence’s fast‑xml‑parser library in releases 4.1.3 to 5.3.5. A fix was released in version 5.3.6, after which the unlimited expansion behavior was removed.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is of high severity, yet its EPSS score is below 1% and it is not listed in CISA’s KEV catalog, indicating a low probability of exploitation in the wild. An attacker would need to supply XML input to a vulnerable application or API that parses XML, and the attack would consume system resources to render the service unavailable.

Generated by OpenCVE AI on April 16, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast‑xml‑parser to version 5.3.6 or newer.
  • If an upgrade cannot be performed immediately, configure the parser to disable DOCTYPE processing by setting processEntities to false.
  • Monitor the application for unusually long XML parse times and high resource consumption to detect potential abuse.

Generated by OpenCVE AI on April 16, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jmr7-xgp7-cmfj fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
History

Mon, 23 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-parser
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-parser

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
Title fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
Weaknesses CWE-776
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Naturalintelligence Fast-xml-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T19:11:59.388Z

Reserved: 2026-02-12T17:10:53.414Z

Link: CVE-2026-26278

cve-icon Vulnrichment

Updated: 2026-02-19T20:58:41.932Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:43.717

Modified: 2026-02-23T19:30:26.017

Link: CVE-2026-26278

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-19T19:40:55Z

Links: CVE-2026-26278 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses