CVE-2026-33036

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.0.0-beta.3 through 5.5.5

Description fast-xml-parser allows users to process XML from JavaScript objects without relying on C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass that allows numeric character references (&#NNN;, &#xHH;) and standard XML entities to circumvent entity expansion limits (like maxTotalExpansions and maxExpandedLength) originally implemented to address CVE-2026-26278. This bypass enables a denial of service through XML entity expansion. The root cause is that the replaceEntitiesValue() function in OrderedObjParser.js only enforces expansion counting on entities defined in DOCTYPE, while the loop handling numeric and standard entities does not perform any counting. An attacker can supply a large number of numeric entity references, such as 1M instances of A, to force significant memory allocation (approximately 147MB) and high CPU usage, potentially crashing the process even with strict limits configured.

Recommendations fast-xml-parser versions prior to 5.5.6 are affected. Update to version 5.5.6 or later to resolve this issue.