CVE-2023-34104 Overview
CVE-2023-34104 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting fast-xml-parser, an open source pure JavaScript XML parser widely used in Node.js applications. The vulnerability allows attackers to craft malicious entity names that exploit the parser's regex-based entity replacement mechanism, causing indefinite CPU consumption and application stalls.
The core issue stems from fast-xml-parser allowing special characters in entity names without proper escaping or sanitization. Since entity names are used to dynamically construct regular expressions for searching and replacing entities in XML bodies, an attacker can inject a carefully crafted entity name that results in a catastrophically backtracking regex pattern.
Critical Impact
Applications using fast-xml-parser with DOCTYPE parsing enabled are vulnerable to complete denial of service through maliciously crafted XML input containing specially designed entity names.
Affected Products
- fast-xml-parser versions prior to v4.2.4
- Node.js applications using vulnerable fast-xml-parser with processEntities enabled
- Any server-side JavaScript application parsing untrusted XML with fast-xml-parser
Discovery Timeline
- 2023-06-06 - CVE-2023-34104 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34104
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). The attack exploits the dynamic nature of regex construction in the XML parser's entity processing routine.
When fast-xml-parser processes XML documents containing DOCTYPE declarations with entity definitions, it creates a regex pattern for each entity to facilitate find-and-replace operations throughout the document body. The vulnerability arises because entity names were not validated or sanitized before being interpolated into the regex pattern.
An attacker can define an entity with a name containing regex metacharacters or patterns that cause exponential backtracking when the regex engine attempts to match against the XML content. This results in what's commonly known as a ReDoS (Regular Expression Denial of Service) attack, where the CPU becomes trapped in an extremely long-running regex evaluation.
Root Cause
The root cause is the lack of entity name validation in the DocTypeReader.js module. Prior to the fix, entity names from untrusted XML input were directly used in regex construction via RegExp(\&${entityName};`, "g")` without any sanitization. This allowed injection of regex control characters that could create pathological patterns.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker sends a malicious XML document to any endpoint that processes XML using vulnerable versions of fast-xml-parser. The XML contains a DOCTYPE declaration with an entity whose name includes regex metacharacters designed to cause catastrophic backtracking.
i += 7;
[entityName, val,i] = readEntityExp(xmlData,i+1);
if(val.indexOf("&") === -1) //Parameter entities are not supported
- entities[ entityName ] = {
+ entities[ validateEntityName(entityName) ] = {
regx : RegExp( `&${entityName};`,"g"),
val: val
};
Source: GitHub Commit 39b0e050
The patch introduces a validateEntityName() function that sanitizes entity names before they are used in regex construction, preventing the injection of malicious patterns.
Detection Methods for CVE-2023-34104
Indicators of Compromise
- Abnormally high CPU utilization on servers processing XML data
- Application timeouts or unresponsive behavior when handling XML requests
- Log entries showing extremely long request processing times for XML endpoints
- Unusual XML payloads containing DOCTYPE declarations with complex entity names
Detection Strategies
- Monitor Node.js application CPU usage for sudden spikes correlating with XML processing
- Implement request timeout monitoring to detect stalled XML parsing operations
- Use Software Composition Analysis (SCA) tools to identify fast-xml-parser versions below v4.2.4
- Review application dependencies with npm audit or similar package security scanners
Monitoring Recommendations
- Set up alerting for CPU consumption anomalies on XML-processing services
- Implement request timeouts at the application and load balancer level
- Log and alert on XML requests containing DOCTYPE declarations from untrusted sources
- Monitor for patterns of repeated requests with complex entity definitions
How to Mitigate CVE-2023-34104
Immediate Actions Required
- Upgrade fast-xml-parser to version 4.2.4 or later immediately
- If immediate upgrade is not possible, disable DOCTYPE processing by setting processEntities: false
- Audit all applications using fast-xml-parser to determine exposure
- Consider implementing XML input validation at the network perimeter
Patch Information
The vulnerability has been resolved in fast-xml-parser version 4.2.4. The fix introduces entity name validation through the validateEntityName() function that sanitizes input before regex construction. Users should update their package.json to require version ^4.2.4 or later.
For detailed information on the patch, refer to the GitHub Security Advisory GHSA-6w63-h3fj-q4vw and the commit 39b0e050.
Workarounds
- Disable entity processing by setting processEntities: false in parser options
- Implement input validation to reject XML containing DOCTYPE declarations from untrusted sources
- Add request timeout limits to prevent indefinite processing
- Deploy Web Application Firewall rules to filter XML payloads with suspicious DOCTYPE definitions
# Configuration example
# Update fast-xml-parser to patched version
npm update fast-xml-parser@^4.2.4
# Or as a workaround, configure parser to disable entity processing
# In your JavaScript code:
# const parser = new XMLParser({ processEntities: false });
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
