Bug 2449458 (CVE-2026-33036) - CVE-2026-33036 fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass
Summary: CVE-2026-33036 fast-xml-parser: fast-xml-parser: Denial of Service via XML en...
Keywords:
Status: NEW
Alias: CVE-2026-33036
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2449480 2449481
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-20 06:02 UTC by OSIDB Bzimport
Modified: 2026-03-20 07:56 UTC (History)
44 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-20 06:02:51 UTC 
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Note You need to log in before you can comment on or make changes to this bug.