CVE-2026-33349

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.0.0-beta.3 through 5.5.6

Description The DocTypeReader in fast-xml-parser incorrectly uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer sets either limit to 0, intending to disallow all entities or restrict entity size to zero bytes, the falsy nature of 0 in JavaScript causes the guard conditions to be bypassed, completely ignoring the limits. An attacker supplying XML input to an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue affects applications that explicitly set these limits to 0, as the default configuration is not vulnerable.

Recommendations Versions 4.0.0-beta.3 through 5.5.6 should be updated to version 5.5.7 or later. As an alternative, if you do not want to process entities, set the processEntities flag to false instead of setting any limit to 0.