CVE-2026-33036
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
EPSS 0.03% · 8.2th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | fast-xml-parser | 5.0.0, 4.0.0-beta.3, 5.0.0 |
| AWS | config | |
| naturalintelligence | fast-xml-parser | 4.0.0, 4.0.0, 4.0.0 |
| NaturalIntelligence | fast-xml-parser | >= 4.0.0-beta.3, < 5.5.6, >= 4.0.0-beta.3, < 5.5.6, >= 4.0.0-beta.3, < 5.5.6 |
Exploit Intelligence
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r (nist-nvd)
- CIRCL seen: CVE-2026-33036 (circl-sighting)
- CIRCL seen: CVE-2026-33036 (circl-sighting)
- CIRCL seen: CVE-2026-33036 (circl-sighting)
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01 (circl)
- https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6 (circl)
- trivity-report.html (github-poc)
- trivity-report.html (github-poc)
- CVE-2026-33036.yml (github-poc)
- CVE-2026-33036.yml (github-poc)
…and 24 more exploits
Timeline
- Mar 17, 2026 CVE Published
- Mar 18, 2026 Security Advisory
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 24, 2026 PoC Published
- Mar 25, 2026 CVE Updated
References
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r url
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01 url
- https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-33036 advisory
- https://github.com/NaturalIntelligence/fast-xml-parser package
- https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5 url
- https://www.ibm.com/support/pages/node/7274185 advisory
- https://www.ibm.com/support/pages/node/7274154 advisory
- https://www.ibm.com/support/pages/node/7274180 advisory
- https://www.ibm.com/support/pages/node/7274183 advisory
- https://www.ibm.com/support/pages/node/7273957 advisory
- https://www.ibm.com/support/pages/node/7274184 advisory
- https://www.ibm.com/support/pages/node/7274314 advisory
- https://www.ibm.com/support/pages/node/7274182 advisory
- https://www.ibm.com/support/pages/node/7274181 advisory
- https://www.ibm.com/support/pages/node/7273803 advisory
- https://www.ibm.com/support/pages/node/7272901 advisory