DEBIAN-CVE-2026-33349

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33349

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33349.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33349

Upstream

CVE-2026-33349

Published

2026-03-24T20:16:29.407Z

Modified

2026-04-28T20:31:37.973415Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

References

https://security-tracker.debian.org/tracker/CVE-2026-33349

Affected packages

Debian:12 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/debian/node-webfont?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-7

11.4.0+dfsg2+~cs35.7.26-8

11.4.0+dfsg2+~cs35.7.26-9

11.4.0+dfsg2+~cs35.7.26-10

11.4.0+dfsg2+~cs35.7.26-11

11.4.0+dfsg2+~cs35.7.26-12

11.4.0+dfsg2+~cs35.7.26-13

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16

11.4.0+dfsg2+~cs35.7.26-18

11.4.0+dfsg2+~cs35.7.26-19

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33349.json"

Debian:13 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/debian/node-webfont?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-13

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16

11.4.0+dfsg2+~cs35.7.26-18

11.4.0+dfsg2+~cs35.7.26-19

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33349.json"

Debian:14 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/debian/node-webfont?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-13

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16

11.4.0+dfsg2+~cs35.7.26-18

11.4.0+dfsg2+~cs35.7.26-19

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33349.json"