UBUNTU-CVE-2026-33349

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33349

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33349.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33349

Upstream

CVE-2026-33349

Published

2026-03-24T20:16:00Z

Modified

2026-04-27T19:02:28.526053Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

References

Affected packages

Ubuntu:24.04:LTS / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/ubuntu/node-webfont@11.4.0+dfsg2+~cs35.7.26-7ubuntu1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-7ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-webfont",
            "binary_version": "11.4.0+dfsg2+~cs35.7.26-7ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33349.json"

Ubuntu:25.10 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/ubuntu/node-webfont@11.4.0+dfsg2+~cs35.7.26-13ubuntu2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-10

11.4.0+dfsg2+~cs35.7.26-13ubuntu2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-webfont",
            "binary_version": "11.4.0+dfsg2+~cs35.7.26-13ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33349.json"

Ubuntu:26.04 / node-webfont

Package

Name: node-webfont
Purl: pkg:deb/ubuntu/node-webfont@11.4.0+dfsg2+~cs35.7.26-18?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.4.0+dfsg2+~cs35.7.26-13ubuntu2

11.4.0+dfsg2+~cs35.7.26-14

11.4.0+dfsg2+~cs35.7.26-15

11.4.0+dfsg2+~cs35.7.26-16build1

11.4.0+dfsg2+~cs35.7.26-18

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "node-webfont",
            "binary_version": "11.4.0+dfsg2+~cs35.7.26-18"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33349.json"