Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via XML entity expansion
Action: Immediate Patch
AI Analysis

Impact

A flaw in the fast-xml-parser library allows an attacker to embed large numbers of numeric character references, such as &#65;, in XML data. The parser mistakenly does not count these references against the configured expansion limits, thereby permitting the creation of hundreds of megabytes of memory allocation and consuming significant CPU cycles. The result is a resource exhaustion attack that can crash or slow down a Node.js application processing XML. The vulnerability is a classic instance of denial of service caused by unchecked data size and is classified under CWE‑776.

Affected Systems

The issue affects the NaturalIntelligence fast‑xml‑parser package versions from 4.0.0‑beta.3 up through 5.5.5. Applications that import or use this library to parse XML—particularly those that do not have additional size checks—are exposed. The vendor’s repository and release notes indicate that the vulnerability was introduced in the 4.x line and remains until the 5.5.6 release.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. However, the EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker can supply crafted XML to a vulnerable endpoint and trigger the memory and CPU blowup. Process crashes or severe slowdown on the target machine would be the primary outcomes if the application lacks additional safeguards. The advisory explicitly states the fix is available in v5.5.6, which fully enforces the expansion limits for numeric and standard entities.

Generated by OpenCVE AI on March 23, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update fast‑xml‑parser to version 5.5.6 or later

Generated by OpenCVE AI on March 23, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8gc5-j5rx-235r fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-parser
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-parser

Fri, 20 Mar 2026 05:45:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like &#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Title fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Weaknesses CWE-776
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Naturalintelligence Fast-xml-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:57:58.233Z

Reserved: 2026-03-17T18:10:50.210Z

Link: CVE-2026-33036

cve-icon Vulnrichment

Updated: 2026-03-25T13:57:44.654Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:11.630

Modified: 2026-03-23T16:28:10.930

Link: CVE-2026-33036

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T05:17:03Z

Links: CVE-2026-33036 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:25Z

Weaknesses