Plattform
nodejs
Komponente
fast-xml-parser
Behoben in
4.0.1
5.5.6
CVE-2026-33036 is a Denial of Service (DoS) vulnerability affecting the fast-xml-parser library. While a previous fix attempted to limit XML entity expansion, this vulnerability bypasses those limits by exploiting numeric character references. This can lead to excessive memory consumption and application crashes, impacting Node.js applications using the library. The vulnerability affects versions prior to 5.5.6, and a patch is available.
An attacker can exploit CVE-2026-33036 by crafting a malicious XML document containing a large number of numeric character references (e.g., &#NNN; and &#xHH;). Because the parser processes these references through a separate code path that lacks expansion limits, the parser will attempt to expand these references, consuming significant memory resources. This can lead to a denial of service, crashing the application or rendering it unresponsive. The blast radius is limited to the application processing the XML, but in critical services, this can have significant operational impact. This bypass effectively negates the protections implemented in CVE-2026-26278.
CVE-2026-33036 was publicly disclosed on 2026-03-17. The vulnerability's exploitation context is currently unclear, but the bypass of previous mitigations makes it a potentially attractive target. There are no known KEV listings or EPSS scores at this time. Public proof-of-concept exploits are not yet available, but the vulnerability's ease of exploitation suggests that they may emerge soon.
Applications built on Node.js that utilize the fast-xml-parser library for XML parsing are at risk. This includes applications that process XML data from external sources, such as APIs or user uploads. Specifically, applications that have not upgraded to version 5.5.6 or later are vulnerable.
• nodejs / server:
npm audit fast-xml-parser• nodejs / server:
find / -name "node_modules/fast-xml-parser" -print• nodejs / server:
ps aux | grep 'fast-xml-parser'disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33036 is to upgrade to fast-xml-parser version 5.5.6 or later. This version includes the necessary fixes to properly limit numeric character reference expansion. If upgrading is not immediately feasible, consider implementing input validation to restrict the use of numeric character references in XML documents processed by the application. Web application firewalls (WAFs) may be configured to block XML documents containing excessive numeric character references, although this is not a guaranteed solution. After upgrading, confirm the fix by attempting to parse a large XML document containing numerous numeric character references and verifying that memory consumption remains within acceptable limits.
Aktualisieren Sie die Version von fast-xml-parser auf 5.5.6 oder höher. Dies behebt die XML-Entitätserweiterungsschwachstelle, die Denial-of-Service-Angriffe ermöglichen könnte. Führen Sie `npm install fast-xml-parser@latest` oder `yarn upgrade fast-xml-parser@latest` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33036 is a Denial of Service vulnerability in fast-xml-parser where numeric character references bypass expansion limits, leading to excessive memory consumption.
You are affected if you are using fast-xml-parser versions prior to 5.5.6 and process XML data containing numeric character references.
Upgrade to fast-xml-parser version 5.5.6 or later to mitigate the vulnerability. Consider input validation as an interim measure.
There is currently no indication of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the fast-xml-parser project's release notes and GitHub repository for the latest information and advisory regarding CVE-2026-33036.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.