Platform
nodejs
Component
fast-xml-parser
Fixed in
4.0.1
5.5.7
CVE-2026-33349 describes a denial-of-service (DoS) vulnerability within the fast-xml-parser Node.js package. This flaw arises from improper handling of entity expansion limits when these limits are explicitly set to zero. An attacker can exploit this by providing malicious XML input, leading to excessive memory consumption and potential service disruption. Affected versions are those prior to 4.5.5, and a fix is available in version 4.5.5.
The primary impact of CVE-2026-33349 is a denial-of-service condition. An attacker capable of injecting XML input into an application utilizing vulnerable versions of fast-xml-parser can trigger unbounded entity expansion. This expansion consumes significant memory resources, potentially leading to application crashes, system instability, and ultimately, service unavailability. The blast radius extends to any application relying on fast-xml-parser for XML parsing, particularly those handling untrusted XML data. The vulnerability's ease of exploitation, combined with the widespread use of fast-xml-parser, makes it a significant concern.
CVE-2026-33349 was publicly disclosed on March 19, 2026. The vulnerability's simplicity and the widespread use of fast-xml-parser suggest a potential for exploitation. As of the current date, there are no publicly known active campaigns targeting this vulnerability, but the lack of a complex exploit does not diminish the risk. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-33349 is to immediately upgrade to version 4.5.5 or later of the fast-xml-parser package. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to prevent the injection of XML documents with excessively large entities. While not a complete solution, this can provide a temporary layer of defense. Monitor application memory usage closely for unusual spikes, which could indicate an ongoing attack. There are no specific WAF rules or detection signatures readily available for this vulnerability, making proactive patching the most effective defense.
Update the fast-xml-parser library to version 5.5.7 or higher. This corrects the unbounded XML entity expansion vulnerability that can lead to a denial of service. The update can be performed using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33349 is a denial-of-service vulnerability in the fast-xml-parser Node.js package where setting entity limits to 0 bypasses them, leading to memory exhaustion.
You are affected if you are using fast-xml-parser versions prior to 4.5.5 and process untrusted XML input.
Upgrade to version 4.5.5 or later of fast-xml-parser. If immediate upgrade is not possible, implement input validation to restrict entity sizes.
There are currently no publicly known active campaigns exploiting CVE-2026-33349, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the fast-xml-parser project's repository and release notes for the official advisory and details about the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.