CVE-2026-41673 - Vulnerability Details

- xmldom: Denial of service via uncontrolled recursion in XML serialization

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

Published: 2026-05-07

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an uncontrolled recursion in the DOM traversal used by XMLSerializer, which causes the JavaScript engine to throw a RangeError and terminate the process when handling deeply nested XML documents. The flaw is a classic uncontrolled recursion (CWE-674) that can result in denial of service by exhausting the call stack and crashing the application. The consequence is a loss of availability for any service that parses or serializes XML using the affected xmldom library.

Affected Systems

The xmldom library for JavaScript is affected. Any project using the npm package xmldom prior to version 0.9.10 or 0.8.13, or version 0.6.0 and earlier, is vulnerable. Updates to 0.9.10, 0.8.13, or later contain the remediation. Projects that integrate xmldom into node, browser, or other JavaScript runtimes and parse or serialize XML are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score is not available, so the likelihood of exploitation cannot be quantified precisely. The issue is not listed in KEV, suggesting no confirmed widespread exploitation. The attack vector is likely local, requiring the ability to provide malicious XML to the library; however, if the library is used in a public-facing service, an attacker could supply crafted XML payloads to trigger the stack overflow and cause a denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xmldom

affected

Version	Status	Constraints
`xmldom <= 0.6.0`	affected	—
`@xmldom/xmldom >= 0.9.0, < 0.9.10`	affected	—
`@xmldom/xmldom < 0.8.13`	affected	—

No data.

Vendor Product Confidence Versions

Xmldom

100%

Version	Status	Scheme	Platform
`[0,0.6.0]`	affected	semver	—
`[0.9.0,0.9.10)`	affected	semver	—
`[0,0.8.13)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the xmldom package to version 0.9.10 or later, which implements a recursion depth limit in lib/dom.js.
If an upgrade cannot be performed immediately, implement input validation that rejects XML documents exceeding a defined depth before they reach DOMParser or XMLSerializer.
Apply process isolation or restart mechanisms to recover from a RangeError and prevent sustained service disruption.

Generated by OpenCVE AI on May 7, 2026 at 05:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-2v35-w6hq-6mfw	xmldom: Uncontrolled recursion in XML serialization leads to DoS

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00081.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa
https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597
https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f
https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a
https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe
https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3
https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112
https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb
https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84
https://github.com/xmldom/xmldom/releases/tag/0.8.13
https://github.com/xmldom/xmldom/releases/tag/0.9.10
https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw

History

Thu, 07 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 07 May 2026 05:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xmldom Xmldom xmldom
Vendors & Products		Xmldom Xmldom xmldom

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
Title		xmldom: Denial of service via uncontrolled recursion in XML serialization
Weaknesses		CWE-674
References		https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597 https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3 https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112 https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Xmldom Xmldom

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T03:40:28.378Z

Updated: 2026-05-07T14:10:45.986Z

Reserved: 2026-04-22T03:53:24.405Z

Link: CVE-2026-41673

Vulnrichment

Updated: 2026-05-07T14:09:13.229Z

NVD

Status : Deferred

Published: 2026-05-07T04:16:33.257

Modified: 2026-05-07T15:16:08.670

Link: CVE-2026-41673

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses

CWE-674

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object