{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33349", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-24T19:35:47.908Z", "dateUpdated": "2026-03-25T14:28:07.309Z"}, "containers": {"cna": {"title": "fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation", "problemTypes": [{"descriptions": [{"cweId": "CWE-1284", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g"}, {"name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7", "tags": ["x_refsource_MISC"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7"}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"version": ">= 4.0.0-beta.3, < 5.5.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:35:47.908Z"}, "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 \u2014 intending to disallow all entities or restrict entity size to zero bytes \u2014 the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7."}], "source": {"advisory": "GHSA-jp2q-39xq-3w4g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:00:54.871779Z", "id": "CVE-2026-33349", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:28:07.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33349", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:00:54.871779Z"}}}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:01:11.302Z"}}], "cna": {"title": "fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation", "source": {"advisory": "GHSA-jp2q-39xq-3w4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "NaturalIntelligence", "product": "fast-xml-parser", "versions": [{"status": "affected", "version": ">= 4.0.0-beta.3, < 5.5.7"}]}], "references": [{"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7", "name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 \u2014 intending to disallow all entities or restrict entity size to zero bytes \u2014 the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284: Improper Validation of Specified Quantity in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:35:47.908Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33349", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:28:07.309Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:35:47.908Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "matchCriteriaId": "A781B124-CD04-4153-A726-B3A19A51DA7D", "versionEndExcluding": "4.5.5", "versionStartIncluding": "4.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6A6A49B-279E-44B2-9936-F04662193F43", "versionEndExcluding": "5.5.7", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098", "vulnerable": true}, {"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 \u2014 intending to disallow all entities or restrict entity size to zero bytes \u2014 the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7."}], "id": "CVE-2026-33349", "lastModified": "2026-03-26T13:01:52.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:29.407", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling", "id": "2450909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450909"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1284", "details": ["A flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by providing specially crafted XML input to an application using the affected library. The DocTypeReader component incorrectly processes configuration limits for entity counts and sizes when these limits are explicitly set to zero, bypassing intended restrictions. This oversight allows for unbounded entity expansion, consuming excessive memory and leading to a Denial of Service (DoS) condition, which makes the application unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33349", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Fix deferred", "package_name": "mta/mta-ui-rhel9", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Fix deferred", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "apicurio/apicurio-registry-ui-rhel8", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "apicurio/apicurio-registry-ui-rhel9", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/mcg-core-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/ocs-client-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odf-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Fix deferred", "package_name": "odf4/odf-multicluster-console-rhel9", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-console-plugin", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "container-native-virtualization/kubevirt-console-plugin-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/iop-vulnerability-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-24T19:35:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33349\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33349\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-beta.3,5.5.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "fast-xml-parser", "source": "cna", "vendor": "NaturalIntelligence"}, "product": "fast-xml-parser", "vendor": "naturalintelligence"}], "analysis": {"en": {"generated_at": "2026-03-24T20:20:38.121401+00:00", "value": {"mitigation_remediation": ["Upgrade fast\u2011xml-parser to version 5.5.7 or later", "Verify that maxEntityCount and maxEntitySize are set to a non\u2011zero value when using older library versions", "Restrict XML parsing to trusted or sanitized input sources"], "summary": {"action": "Patch", "impact": "Denial of Service via unbounded XML entity expansion"}, "threat_synthesis": {"affected_systems": "Vulnerable applications are those using NaturalIntelligence's fast\u2011xml-parser library, versions from 4.0.0\u2011beta.3 up to but not including 5.5.7. The patch in version 5.5.7 resolves the bug by correctly interpreting a zero value for the limits.", "description_and_impact": "fast\u2011xml-parser processes XML data in JavaScript and provides configuration limits to control entity expansion. Between versions 4.0.0\u2011beta.3 and 5.5.6, the parser evaluates the developer\u2011supplied maxEntityCount and maxEntitySize options with JavaScript truthy checks. When a developer sets either of these limits to zero\u2014intending to disallow all entities or restrict entity size to zero\u2014the falsy nature of 0 bypasses the guard conditions, allowing unlimited entity expansion. An attacker that can supply XML input to the application can trigger unbounded expansion, exhausting memory and causing a denial\u2011of\u2011service attack. The vulnerability is classified as CWE\u20111284.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a medium severity. The exploit probability score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need to provide crafted XML to the application; the vulnerability is likely exploitable in environments where XML input is accepted from untrusted sources. Because the bug involves misinterpreting limits, exploitation does not require complex conditions beyond access to the input channel."}}}}, "created": "2026-03-25T11:46:14.036578+00:00", "updated": "2026-03-25T20:57:38.732903+00:00", "vendors": ["naturalintelligence", "naturalintelligence$PRODUCT$fast-xml-parser"]}