fast-xml-parser Entity Expansion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in fast-xml-parser versions 4.1.3 through 5.3.5. The issue arises from the XML parser's handling of entity expansions, particularly when DOCTYPE parsing is enabled. Attackers can exploit this vulnerability by crafting XML inputs that cause the parser to spend excessive time processing, effectively freezing the application. This exploitation takes advantage of the lack of limits on entity expansion, allowing for significant delays in response times.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to become unresponsive for an extended period. This is particularly impactful in Node.js environments, where the event loop can be blocked, preventing the server from handling other requests.

Reproduction

The vulnerability can be reproduced by sending an XML payload that includes a DOCTYPE declaration with a large entity reference. The entity can be defined to contain a significant amount of data, which, when referenced multiple times, causes the parser to spend an excessive amount of time processing the request. This can be automated with a script that measures the time taken to parse the XML, demonstrating the impact of the denial-of-service condition.

Remediation

Users are advised to update to fast-xml-parser version 5.3.6 or later, and to disable DOCTYPE parsing by setting the 'processEntities' option to false.