Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Published: 2026-03-24
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the XML parsing library enables attackers to cause unbounded entity expansion. When developers set the entity limit values to zero, JavaScript treats the values as falsy and bypasses the intended checks. This allows malicious XML input to grow without bound, exhaust memory resources, and result in a denial of service for the affected application.

Affected Systems

Applications that rely on NaturalIntelligence's fast-xml-parser, version 4.0.0-beta.3 through the release before 5.5.7, are impacted by this flaw. The issue affects all releases in the stated range regardless of the platform, as the vulnerability exists within the JavaScript implementation of the library.

Risk and Exploitability

The flaw carries a CVSS score of 5.9, indicating a medium severity rating, and an EPSS score of less than 1%, suggesting a low probability of exploitation. It is not included in the CISA Known Exploited Vulnerabilities catalog. Attackers who can provide XML input to an application using the vulnerable library may trigger the memory exhaustion and achieve a denial of service. The exploit requires the application to parse external XML data, which may be supplied over the network or locally within the environment.

Generated by OpenCVE AI on March 26, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast-xml-parser to version 5.5.7 or later.

Generated by OpenCVE AI on March 26, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jp2q-39xq-3w4g Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser
History

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-parser
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-parser

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Title fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Naturalintelligence Fast-xml-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:28:07.309Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33349

cve-icon Vulnrichment

Updated: 2026-03-25T14:01:11.302Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:29.407

Modified: 2026-03-26T13:01:52.857

Link: CVE-2026-33349

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T19:35:47Z

Links: CVE-2026-33349 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:34Z

Weaknesses