fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fast-xml-parsernpm | >= 5.0.0, < 5.5.6 | 5.5.6 |
fast-xml-parsernpm | >= 4.0.0-beta.3, < 4.5.5 | 4.5.5 |
Affected products
33- osv-coords32 versionspkg:apk/chainguard/dbgatepkg:apk/chainguard/dbgate-fipspkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/librechatpkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/tileserver-glpkg:npm/fast-xml-parserpkg:rpm/opensuse/heroic-games-launcher&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/velociraptor&distro=openSUSE%20Tumbleweed
< 7.1.3-r0+ 31 more
- (no CPE)range: < 7.1.3-r0
- (no CPE)range: < 7.1.3-r0
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 2.16.0-r9
- (no CPE)range: < 2.95.12-r16
- (no CPE)range: < 2.95.12-r19
- (no CPE)range: < 0.8.4-r3
- (no CPE)range: < 5.14.3-r12
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 5.5.0-r11
- (no CPE)range: < 5.5.0-r11
- (no CPE)range: < 2.11.0-r17
- (no CPE)range: < 2.16.0-r9
- (no CPE)range: < 5.14.3-r12
- (no CPE)range: < 43.84.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 5.5.0-r11
- (no CPE)range: >= 5.0.0, < 5.5.6
- (no CPE)range: < 2.20.1-4.1
- (no CPE)range: < 0.7.0.4.git185.a5708584-2.1
- Range: >= 4.0.0-beta.3, < 5.5.6
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-8gc5-j5rx-235rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33036ghsaADVISORY
- github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01ghsax_refsource_MISCWEB
- github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5ghsaWEB
- github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6ghsax_refsource_MISCWEB
- github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.