CVE-2026-33349— fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33349
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Source: NVD (National Vulnerability Database)
Vulnerability Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1284
Source: NVD (National Vulnerability Database)
Vulnerability Title
fast-xml-parser 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
fast-xml-parser是Natural Intelligence开源的一个库。用于在没有基于 C/C++ 的库和回调的情况下,快速验证 XML、解析 XML 和构建 XML。 fast-xml-parser 4.0.0-beta.3至5.5.7之前版本存在安全漏洞,该漏洞源于DocTypeReader使用JavaScript真值检查评估maxEntityCount和maxEntitySize配置限制,可能导致当开发者将任一限制设置为0时完全绕过限制,进而触发无限制实体扩展,导致内存耗尽和拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| NaturalIntelligence | fast-xml-parser | >= 4.0.0-beta.3, < 5.5.7 | - |
II. Public POCs for CVE-2026-33349
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33349
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: fast-xml-parser
- CVE-2026-41650
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection - CVE-2026-33036
fast-xml-parser affected by numeric entity expansion bypassi - CVE-2026-27942
fast-xml-parser has stack overflow in XMLBuilder with preser - CVE-2026-25896
fast-xml-parser has an entity encoding bypass via regex inje - CVE-2026-26278
fast-xml-parser affected by DoS through entity expansion in
Same vendor: NaturalIntelligence
- CVE-2026-41650
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection - CVE-2026-33036
fast-xml-parser affected by numeric entity expansion bypassi - CVE-2026-27942
fast-xml-parser has stack overflow in XMLBuilder with preser - CVE-2026-25896
fast-xml-parser has an entity encoding bypass via regex inje - CVE-2026-26278
fast-xml-parser affected by DoS through entity expansion in
Same weakness: CWE-1284
- CVE-2026-25863
Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncont - CVE-2025-14688
IBM® Db2® is vulnerable to a denial of service when fetching - CVE-2026-6915
Flaw in the updateUser Command May Allow Unauthorized Config - CVE-2026-1352
IBM® Db2® is vulnerable to a trap or return SQLCODE -901 whe - CVE-2026-6839
ONE 安全漏洞
V. Comments for CVE-2026-33349
No comments yet