Description

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.

INFO

Published Date :

2026-03-20T05:17:03.290Z

Last Modified :

2026-03-25T13:57:58.233Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33036 vulnerability.

Vendors Products
Naturalintelligence
  • Fast-xml-parser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33036.

URL Resource
https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01 cve-icon cve-icon cve-icon
https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6 cve-icon cve-icon cve-icon
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-33036 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-33036 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact