VYPR
Low severityNVD Advisory· Published Feb 26, 2026· Updated Feb 26, 2026

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

CVE-2026-27942

Description

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As a workaround, use XML builder with preserveOrder:false or check the input data before passing to builder.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fast-xml-parsernpm
>= 5.0.0, < 5.3.85.3.8
fast-xml-parsernpm
>= 4.0.0-beta.0, < 4.5.44.5.4

Affected products

35

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.