CVE-2023-34104

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions prior to 4.2.4

Description The issue allows special characters in entity names, which are not escaped or sanitized. This can be abused for denial of service (DoS) attacks by crafting an entity name that results in an intentionally bad performing regex, causing the parser to stall for an indefinite amount of time.

Recommendations For versions prior to 4.2.4, upgrade to version 4.2.4 or later. For users unable to upgrade, avoid using DOCTYPE parsing by setting the processEntities: false option.