CVE-2026-26278

Summary

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by processEntities: false option.

Affected Software

VendorProductVersion RangeStatus
NaturalIntelligencefast-xml-parser>= 5.0.0, < 5.3.6affected
NaturalIntelligencefast-xml-parser>= 4.1.3, < 4.5.4affected

Weaknesses

  • CWE-776: CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion

Additional References

References