CVE-2026-41673

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier

Description Seven recursive traversals in lib/dom.js operate without a depth limit. When processing a sufficiently deeply nested DOM tree, the JavaScript call stack is exhausted, resulting in a RangeError: Maximum call stack size exceeded and crashing the application. This can lead to a denial of service if a service accepts attacker-controlled XML and performs any of the affected operations.

The affected functions and entry points include

Node.prototype.normalize()
XMLSerializer.serializeToString()
Element.getElementsByTagName(), getElementsByTagNameNS(), getElementsByClassName(), and getElementById() (via the visitNode function)
Node.cloneNode(true)
Document.importNode(node, true)
node.textContent (getter)
Node.isEqualNode(other)

Recommendations Update @xmldom/xmldom to version 0.8.13 or 0.9.10. Update xmldom to a version later than 0.6.0. As a temporary workaround, restrict the use of the affected functions or limit the nesting depth of XML documents before they are processed by the library.

Exploit

Fix

DoS

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-674

Related Identifiers

CVE-2026-41673

GHSA-2V35-W6HQ-6MFW

Affected Products

@Rootio/Xmldom Xmldom

@Xmldom/Xmldom

Node-Xmldom

Xmldom

CVE-2026-41673

Weakness Enumeration

Related Identifiers

Affected Products

References · 26