CVE-2021-41559
Description
Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Silverstripe Framework 4.8.1 is vulnerable to a quadratic blowup in Convert::xml2array(), enabling remote denial of service via a crafted XML document.
Vulnerability
Overview
CVE-2021-41559 describes a quadratic blowup vulnerability in the Convert::xml2array() function of the Silverstripe framework (version 4.8.1). The root cause is an algorithmic inefficiency that causes processing time to grow quadratically with the size of the input XML, likely due to nested element expansion or recursive parsing without proper bounds [2].
Exploitation
A remote attacker can exploit this vulnerability by sending a specially crafted XML document to any endpoint that invokes Convert::xml2array(). No authentication is required, making the attack surface broad. The crafted XML triggers excessive computational work, leading to resource exhaustion [3].
Impact
Successful exploitation results in a denial of service (DoS) condition, as the targeted server consumes disproportionate CPU and memory resources. This can render the application unresponsive, affecting availability for legitimate users [2].
Mitigation
The Silverstripe project has addressed this issue in a subsequent release. Users are advised to upgrade to the latest version of the silverstripe/framework package, as detailed in the official release notes [1]. The vulnerability is also tracked in the FriendsOfPHP security advisories [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
silverstripe/frameworkPackagist | >= 4.0.0, < 4.10.9 | 4.10.9 |
Affected products
3- Silverstripe/frameworkdescription
- osv-coords2 versions
< 4.10.9+ 1 more
- (no CPE)range: < 4.10.9
- (no CPE)range: >= 4.0.0, < 4.10.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9fmg-89fx-r33wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41559ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2021-41559.yamlghsaWEB
- www.silverstripe.org/download/security-releasesghsaWEB
- www.silverstripe.org/download/security-releases/mitrex_refsource_MISC
- www.silverstripe.org/download/security-releases/cve-2021-41559ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.