Listen to this Post
The vulnerability exists in the numeric entity parsing logic of the fast-xml-parser library. In the `OrderedObjParser.js` file, the regular expressions for decimal (&([0-9]{1,7});) and hexadecimal (&x([0-9a-fA-F]{1,6});) entities capture numeric strings up to 7 and 6 characters long respectively, allowing values far beyond the maximum valid Unicode code point of 0x10FFFF (1,114,111). The captured string is passed to String.fromCodePoint(). This JavaScript method throws a `RangeError` for invalid code points. The library’s `replaceEntitiesValue()` function lacks a try-catch block around this replacement operation. When a malicious XML payload contains an out-of-range entity like `�` (decimal 9999999) or `�` (hex 0xFFFFFF), the uncaught `RangeError` exception propagates up, crashing the Node.js process and causing a Denial of Service.
Platform: fast-xml-parser
Version: <= 5.3.3
Vulnerability: Uncaught RangeError
Severity: Critical
date: 2024-05-17
Prediction: Patch 2024-05-31
What Undercode Say:
npm init -y npm install [email protected]
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: true });
const maliciousXML = '<?xml version="1.0"?><root>�</root>';
parser.parse(maliciousXML);
curl -X POST -d '<?xml version="1.0"?><root>�</root>' http://victim/parse
How Exploit:
Craft XML payload containing decimal `�` or hex `�` entity. Send via HTTP POST to endpoint using vulnerable parser. Process crashes immediately.
Protection from this CVE:
Update to >=5.3.4. Implement input validation. Use try-catch wrapper. Disable entity parsing.
Impact:
Application crash, Denial of Service, service disruption, manual restart required.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

