Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-34104

CVE-2023-34104: Fast-xml-parser DoS Vulnerability

CVE-2023-34104 is a denial of service vulnerability in fast-xml-parser caused by improper entity name handling. Attackers can craft malicious regex patterns to stall the parser. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2023-34104 Overview

CVE-2023-34104 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting fast-xml-parser, an open source pure JavaScript XML parser widely used in Node.js applications. The vulnerability allows attackers to craft malicious entity names that exploit the parser's regex-based entity replacement mechanism, causing indefinite CPU consumption and application stalls.

The core issue stems from fast-xml-parser allowing special characters in entity names without proper escaping or sanitization. Since entity names are used to dynamically construct regular expressions for searching and replacing entities in XML bodies, an attacker can inject a carefully crafted entity name that results in a catastrophically backtracking regex pattern.

Critical Impact

Applications using fast-xml-parser with DOCTYPE parsing enabled are vulnerable to complete denial of service through maliciously crafted XML input containing specially designed entity names.

Affected Products

  • fast-xml-parser versions prior to v4.2.4
  • Node.js applications using vulnerable fast-xml-parser with processEntities enabled
  • Any server-side JavaScript application parsing untrusted XML with fast-xml-parser

Discovery Timeline

  • 2023-06-06 - CVE-2023-34104 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-34104

Vulnerability Analysis

This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). The attack exploits the dynamic nature of regex construction in the XML parser's entity processing routine.

When fast-xml-parser processes XML documents containing DOCTYPE declarations with entity definitions, it creates a regex pattern for each entity to facilitate find-and-replace operations throughout the document body. The vulnerability arises because entity names were not validated or sanitized before being interpolated into the regex pattern.

An attacker can define an entity with a name containing regex metacharacters or patterns that cause exponential backtracking when the regex engine attempts to match against the XML content. This results in what's commonly known as a ReDoS (Regular Expression Denial of Service) attack, where the CPU becomes trapped in an extremely long-running regex evaluation.

Root Cause

The root cause is the lack of entity name validation in the DocTypeReader.js module. Prior to the fix, entity names from untrusted XML input were directly used in regex construction via RegExp(\&${entityName};`, "g")` without any sanitization. This allowed injection of regex control characters that could create pathological patterns.

Attack Vector

The attack is network-based and can be executed remotely without authentication. An attacker sends a malicious XML document to any endpoint that processes XML using vulnerable versions of fast-xml-parser. The XML contains a DOCTYPE declaration with an entity whose name includes regex metacharacters designed to cause catastrophic backtracking.

javascript
                     i += 7; 
                     [entityName, val,i] = readEntityExp(xmlData,i+1);
                     if(val.indexOf("&") === -1) //Parameter entities are not supported
-                        entities[ entityName ] = {
+                        entities[ validateEntityName(entityName) ] = {
                             regx : RegExp( `&${entityName};`,"g"),
                             val: val
                         };

Source: GitHub Commit 39b0e050

The patch introduces a validateEntityName() function that sanitizes entity names before they are used in regex construction, preventing the injection of malicious patterns.

Detection Methods for CVE-2023-34104

Indicators of Compromise

  • Abnormally high CPU utilization on servers processing XML data
  • Application timeouts or unresponsive behavior when handling XML requests
  • Log entries showing extremely long request processing times for XML endpoints
  • Unusual XML payloads containing DOCTYPE declarations with complex entity names

Detection Strategies

  • Monitor Node.js application CPU usage for sudden spikes correlating with XML processing
  • Implement request timeout monitoring to detect stalled XML parsing operations
  • Use Software Composition Analysis (SCA) tools to identify fast-xml-parser versions below v4.2.4
  • Review application dependencies with npm audit or similar package security scanners

Monitoring Recommendations

  • Set up alerting for CPU consumption anomalies on XML-processing services
  • Implement request timeouts at the application and load balancer level
  • Log and alert on XML requests containing DOCTYPE declarations from untrusted sources
  • Monitor for patterns of repeated requests with complex entity definitions

How to Mitigate CVE-2023-34104

Immediate Actions Required

  • Upgrade fast-xml-parser to version 4.2.4 or later immediately
  • If immediate upgrade is not possible, disable DOCTYPE processing by setting processEntities: false
  • Audit all applications using fast-xml-parser to determine exposure
  • Consider implementing XML input validation at the network perimeter

Patch Information

The vulnerability has been resolved in fast-xml-parser version 4.2.4. The fix introduces entity name validation through the validateEntityName() function that sanitizes input before regex construction. Users should update their package.json to require version ^4.2.4 or later.

For detailed information on the patch, refer to the GitHub Security Advisory GHSA-6w63-h3fj-q4vw and the commit 39b0e050.

Workarounds

  • Disable entity processing by setting processEntities: false in parser options
  • Implement input validation to reject XML containing DOCTYPE declarations from untrusted sources
  • Add request timeout limits to prevent indefinite processing
  • Deploy Web Application Firewall rules to filter XML payloads with suspicious DOCTYPE definitions
bash
# Configuration example
# Update fast-xml-parser to patched version
npm update fast-xml-parser@^4.2.4

# Or as a workaround, configure parser to disable entity processing
# In your JavaScript code:
# const parser = new XMLParser({ processEntities: false });

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.