fast-xml-parser Entity Expansion Limit Bypass Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in fast-xml-parser versions 4.0.0-beta.3 prior to 5.5.7. The issue arises in the DocTypeReader component, where JavaScript's truthy evaluation allows developers to inadvertently disable entity processing limits. When maxEntityCount or maxEntitySize is set to 0, the parser bypasses these restrictions entirely. This flaw can be exploited by supplying XML with large entities, causing memory exhaustion and service disruption.

Impact

Exploitation of this vulnerability leads to unbounded entity expansion, causing memory exhaustion and denial-of-service conditions on the server.

Reproduction

To reproduce this vulnerability, configure the fast-xml-parser XMLParser instance with processEntities.maxEntityCount and processEntities.maxEntitySize set to 0. This configuration should block entity definitions. However, due to the way JavaScript evaluates these values, the parser will bypass the intended restrictions. Once the parser is set up, supply XML containing a DOCTYPE with large entity definitions. The parser will process the entities without error, demonstrating that the limits have been successfully bypassed.

Remediation

Users can update to fast-xml-parser versions 4.5.5 or 5.5.7, where this vulnerability has been patched. If an immediate update is not possible, as a temporary workaround, keep the processEntities option set to false.