CVE-2026-27942 - Vulnerability Details

- fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.

Published: 2026-02-26

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

fast‑xml‑parser can crash when an attacker supplies XML data to the XMLBuilder with the preserveOrder flag enabled. This stack overflow results in a process termination and a denial of service. The vulnerability is classified as CWE‑120 and CWE‑776 and does not grant the attacker code execution or data disclosure. The crash can disrupt any service that relies on the parser to produce XML.

Affected Systems

The issue affects versions of NaturalIntelligence’s fast‑xml‑parser prior to 5.3.8. Any installation that uses the XMLBuilder with preserveOrder:true is vulnerable unless the library has been updated.

Risk and Exploitability

The CVSS base score is 2.7, indicating low impact, and the EPSS score is below 1 %. The vulnerability is not listed in the CISA KEV catalog. An attacker could trigger the stack overflow by supplying crafted XML input to the application. If the application accepts untrusted input, the attack vector is remote. The exploit requires only the ability to feed XML to the XMLBuilder; it does not require privilege escalation or advanced conditions. The overall risk remains low but the crash can disrupt availability of services that depend on the parser.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NaturalIntelligence

fast-xml-parser

affected

Version	Status	Constraints
`< 5.3.8`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:naturalintelligence:fast-xml-parser::::::::
	cpe:2.3:a:naturalintelligence:fast-xml-parser::::::::

No data.

Vendor Product Confidence Versions

Naturalintelligence

Fast-xml-parser

100%

Version	Status	Scheme	Platform
`[0,5.3.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade fast‑xml‑parser to version 5.3.8 or later to eliminate the stack‑overflow bug.
When using XMLBuilder, set preserveOrder:false or omit the flag so the vulnerable code path is not executed.
Sanitize or validate XML input before passing it to the builder to avoid large or malformed payloads that could trigger the overflow.

Generated by OpenCVE AI on April 17, 2026 at 14:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-fj3w-jwp8-x2g3	fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a
https://github.com/NaturalIntelligence/fast-xml-parser/pull/791
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3
https://nvd.nist.gov/vuln/detail/CVE-2026-27942
https://www.cve.org/CVERecord?id=CVE-2026-27942

History

Mon, 02 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:fast-xml-parser_project:fast-xml-parser::::::node.js::*	cpe:2.3:a:naturalintelligence:fast-xml-parser::::::::
Vendors & Products	Fast-xml-parser Project Fast-xml-parser Project fast-xml-parser

Sat, 28 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-776
References		https://nvd.nist.gov/vuln/detail/CVE-2026-27942 https://www.cve.org/CVERecord?id=CVE-2026-27942
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 27 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fast-xml-parser Project Fast-xml-parser Project fast-xml-parser
CPEs		cpe:2.3:a:fast-xml-parser_project:fast-xml-parser::::::node.js::*
Vendors & Products		Fast-xml-parser Project Fast-xml-parser Project fast-xml-parser
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Naturalintelligence Naturalintelligence fast-xml-parser
Vendors & Products		Naturalintelligence Naturalintelligence fast-xml-parser

Thu, 26 Feb 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
Title		fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
Weaknesses		CWE-120
References		https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a https://github.com/NaturalIntelligence/fast-xml-parser/pull/791 https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3
Metrics		cvssV4_0 `{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}`

Subscriptions

Naturalintelligence Fast-xml-parser

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-26T01:22:11.383Z

Updated: 2026-02-26T15:49:35.449Z

Reserved: 2026-02-25T03:11:36.689Z

Link: CVE-2026-27942

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-26T02:16:22.357

Modified: 2026-03-02T14:54:48.080

Link: CVE-2026-27942

Redhat

Severity : Moderate

Publid Date: 2026-02-26T01:22:11Z

Links: CVE-2026-27942 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object