CVE-2026-33349

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33349
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33349.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33349
Aliases
Downstream
Related
Published
2026-03-24T19:35:47.908Z
Modified
2026-04-10T05:42:44.425161Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Details

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33349.json"
}
References

Affected packages

Git / github.com/naturalintelligence/fast-xml-parser

Affected ranges

Type
GIT
Repo
https://github.com/naturalintelligence/fast-xml-parser
Events
Introduced
7439272f2a98f8a551de7a105faeab58c6fbf74a
Fixed
a21c44123cdf0f8fb5b56d33386ed3be4e180953
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-beta.3"
        },
        {
            "fixed": "5.5.7"
        }
    ]
}

Affected versions

v4.*
v4.0.0
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-beta.5
v4.0.0-beta.6
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.2
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.5.2
v5.*
v5.0.0
v5.0.2
v5.0.4
v5.0.6
v5.0.7
v5.0.9
v5.1.0
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.2.5
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.3.8
v5.3.9
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.5.5
v5.5.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33349.json"