Volerion logoVolerion
Volerion logoVolerion

fast-xml-parser Entity Expansion Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in fast-xml-parser versions 4.0.0-beta.3 prior to 5.5.5. The issue arises from a bypass in entity expansion limits, allowing numeric character references and standard XML entities to evade configured restrictions. This vulnerability can be exploited by supplying a large number of entity references, leading to excessive memory usage and CPU consumption, potentially crashing the application.

Impact

Exploitation of this vulnerability causes significant memory allocation and CPU usage, with the potential to crash the application due to out-of-memory conditions.

Reproduction

The vulnerability can be reproduced by parsing XML data that includes a high volume of numeric entity references, such as 100,000 or more. Even with strict entity expansion limits set, these references bypass the limits and cause excessive output length and memory consumption.

Remediation

Users can upgrade to fast-xml-parser version 5.5.6 or later, where this vulnerability has been fixed.

Added: Mar 20, 2026, 6:22 AM
Updated: Mar 20, 2026, 6:22 AM

Vulnerability Rating

Custom Algorithm
spread
7.8
impact
2.5
exploitability
6.0
remediation
7.9
relevance
4.2
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.