CVE-2024-41818

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions prior to 4.4.1

Description A ReDOS issue exists in the currency.js component of the fast-xml-parser library, specifically affecting the experimental version 5. This issue can cause a denial of service during currency parsing. The vulnerable code contains a regex in the currency.js file. To exploit this issue, an attacker can pass a specially crafted string, such as 't'.repeat(13337) + '.', which can lead to a denial of service.

Recommendations For fast-xml-parser versions prior to 4.4.1, update to version 4.4.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the currency parsing functionality in experimental version 5 of the fast-xml-parser library until the issue is resolved.