CVE-2026-33036 (GCVE-0-2026-33036)

Vulnerability from cvelistv5 – Published: 2026-03-20 05:17 – Updated: 2026-03-25 13:57
VLAI?
Title
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Summary
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
Impacted products
Vendor Product Version
NaturalIntelligence fast-xml-parser Affected: >= 4.0.0-beta.3, < 5.5.6
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33036",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T13:57:14.886976Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T13:57:58.233Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fast-xml-parser",
          "vendor": "NaturalIntelligence",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-beta.3, \u003c 5.5.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-776",
              "description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T05:17:03.290Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
        },
        {
          "name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
        },
        {
          "name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
        }
      ],
      "source": {
        "advisory": "GHSA-8gc5-j5rx-235r",
        "discovery": "UNKNOWN"
      },
      "title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33036",
    "datePublished": "2026-03-20T05:17:03.290Z",
    "dateReserved": "2026-03-17T18:10:50.210Z",
    "dateUpdated": "2026-03-25T13:57:58.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33036",
      "date": "2026-05-19",
      "epss": "0.00026",
      "percentile": "0.0747"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33036\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T06:16:11.630\",\"lastModified\":\"2026-03-23T16:28:10.930\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6.\"},{\"lang\":\"es\",\"value\":\"fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres num\u00e9ricos (\u0026amp;#NNN;, \u0026amp;#xHH;) y las entidades XML est\u00e1ndar evaden completamente los l\u00edmites de expansi\u00f3n de entidades (p. ej., maxTotalExpansions, maxExpandedLength) a\u00f1adidos para corregir CVE-2026-26278, lo que permite la denegaci\u00f3n de servicio por expansi\u00f3n de entidades XML. La causa ra\u00edz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansi\u00f3n en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades num\u00e9ricas/est\u00e1ndar no realiza ning\u00fan conteo. Un atacante que suministre 1M de referencias de entidades num\u00e9ricas como A puede forzar una asignaci\u00f3n de memoria de ~147MB y un uso intensivo de CPU, lo que podr\u00eda bloquear el proceso, incluso cuando los desarrolladores han configurado l\u00edmites estrictos. Este problema ha sido corregido en la versi\u00f3n 5.5.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-776\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.1\",\"versionEndExcluding\":\"5.5.6\",\"matchCriteriaId\":\"AB9177BC-BACD-4367-9063-398ACE2AB4A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2398B145-2ED8-4197-8838-FAE7AD7666E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"44B6C4BE-69F4-4651-80EE-055D1F99F7EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B32E8C4-15A7-466D-98A7-9EDD6B45F883\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"23CDA792-75FA-48A7-8577-4266A0BFB3A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4B7FD7D-0059-4D5B-898D-539AB43AA24A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"42844DDE-AD5B-4684-8104-1C2D133C6098\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"C045B7F2-16A9-47C9-B08D-71847A940B93\"}]}]}],\"references\":[{\"url\":\"https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33036\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T13:57:14.886976Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T13:57:44.654Z\"}}], \"cna\": {\"title\": \"fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)\", \"source\": {\"advisory\": \"GHSA-8gc5-j5rx-235r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"NaturalIntelligence\", \"product\": \"fast-xml-parser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-beta.3, \u003c 5.5.6\"}]}], \"references\": [{\"url\": \"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r\", \"name\": \"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\", \"name\": \"https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\", \"name\": \"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-776\", \"description\": \"CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T05:17:03.290Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33036\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T13:57:58.233Z\", \"dateReserved\": \"2026-03-17T18:10:50.210Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T05:17:03.290Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.