CVE-2026-26278

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions prior to 5.3.6

Description The XML parser is susceptible to an unlimited amount of entity expansion. A small XML input can cause the parser to spend significant time processing a single request, leading to application freezing. The issue resides in the lack of limits on output size or execution cost within the entity replacement loop in OrderedObjParser.js (lines 439–458). Specifically, the replaceEntitiesValue() function repeatedly calls val.replace() without any checks, allowing for exponential expansion when referencing large entities multiple times. The entity registration check in DocTypeReader.js (lines 28–33) only prevents classic “Billion Laughs” payloads but not simpler variants using large text-based entities. This is a denial-of-service issue that can block the event loop in Node.js applications, rendering the server unresponsive. A payload of a few kilobytes can make a server unresponsive for several minutes.

Recommendations fast-xml-parser versions prior to 5.3.6 should be updated to version 5.3.6 or later. As a workaround, avoid using DOCTYPE parsing by setting the processEntities option to false.