Platform
nodejs
Component
fast-xml-parser
Fixed in
4.0.1
5.5.6
CVE-2026-33036 is a Denial of Service (DoS) vulnerability affecting the fast-xml-parser library. While a previous fix attempted to limit XML entity expansion, this vulnerability bypasses those limits by exploiting numeric character references. This can lead to excessive memory consumption and application crashes, impacting Node.js applications using the library. The vulnerability affects versions prior to 5.5.6, and a patch is available.
An attacker can exploit CVE-2026-33036 by crafting a malicious XML document containing a large number of numeric character references (e.g., &#NNN; and &#xHH;). Because these references are processed through a separate code path that lacks expansion limits, the parser will attempt to expand them all, consuming excessive memory. This can lead to a denial of service, crashing the application or exhausting system resources. The blast radius depends on the application's resource limits and the attacker's ability to send the malicious XML. This bypass effectively negates the protections implemented in CVE-2026-26278, making applications vulnerable even if they applied that previous patch.
CVE-2026-33036 was published on 2026-03-17. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature makes it relatively straightforward to exploit. The CVSS score of 7.5 (HIGH) reflects the potential for significant impact.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33036 is to upgrade to fast-xml-parser version 5.5.6 or later, which includes the necessary fix to enforce expansion limits on numeric character references. If upgrading is not immediately feasible, consider implementing input validation to restrict the use of numeric character references in XML documents processed by the application. Web application firewalls (WAFs) might be configured to block XML requests containing excessive numeric character references, but this is not a guaranteed solution. There are no specific rollback steps beyond reverting to a previous version of fast-xml-parser prior to the introduction of the flawed entity expansion logic. After upgrading, confirm the fix by attempting to parse a large XML document containing numerous numeric character references; the parser should now enforce expansion limits and not consume excessive memory.
Update the version of fast-xml-parser to 5.5.6 or higher. This corrects the XML entity expansion vulnerability that could allow denial of service attacks. Run `npm install fast-xml-parser@latest` or `yarn upgrade fast-xml-parser@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33036 is a Denial of Service vulnerability in fast-xml-parser where numeric character references bypass expansion limits, leading to excessive memory consumption.
You are affected if you are using fast-xml-parser versions prior to 5.5.6 and process XML data containing numeric character references.
Upgrade to fast-xml-parser version 5.5.6 or later to mitigate the vulnerability. Consider input validation as an interim measure.
There is currently no indication of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the fast-xml-parser project's release notes and GitHub repository for the latest information and advisory regarding CVE-2026-33036.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.