CVE-2026-33036 Overview
CVE-2026-33036 is a bypass vulnerability in fast-xml-parser, a popular JavaScript library used to process XML from JS objects without C/C++ based libraries or callbacks. This vulnerability allows attackers to completely evade entity expansion limits that were implemented to mitigate a previous vulnerability (CVE-2026-26278), enabling XML entity expansion Denial of Service attacks.
The vulnerability exists in versions 4.0.0-beta.3 through 5.5.5, where numeric character references (&#NNN;, &#xHH;) and standard XML entities bypass the security controls (maxTotalExpansions, maxExpandedLength) designed to prevent resource exhaustion attacks.
Critical Impact
An attacker can force approximately 147MB of memory allocation and heavy CPU usage by supplying 1 million numeric entity references, potentially crashing the process even when developers have configured strict expansion limits.
Affected Products
- naturalintelligence fast-xml-parser versions 4.0.0-beta.3 through 5.5.5
- Applications using fast-xml-parser for XML processing in Node.js environments
- Web services and APIs that accept XML input and rely on fast-xml-parser
Discovery Timeline
- 2026-03-20 - CVE-2026-33036 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33036
Vulnerability Analysis
This vulnerability represents a security control bypass that undermines protections added to address the earlier CVE-2026-26278. The core issue lies in the inconsistent application of entity expansion counting across different entity types within the XML parser.
The replaceEntitiesValue() function in OrderedObjParser.js properly enforces expansion counting for DOCTYPE-defined entities. However, the lastEntities loop that processes numeric character references (like A for the letter 'A') and standard XML entities performs no counting whatsoever. This architectural oversight creates a complete bypass of the security limits.
An attacker exploiting this vulnerability can construct malicious XML payloads containing massive quantities of numeric character references. Even when application developers have diligently configured strict limits like maxTotalExpansions and maxExpandedLength, these protections are ineffective against this attack vector.
Root Cause
The root cause is a missing security control in the entity replacement logic within OrderedObjParser.js. The implementation only enforces expansion counting on DOCTYPE-defined entities while completely omitting counting for the lastEntities loop that handles numeric and standard entities. This creates two distinct code paths with asymmetric security enforcement—one path is protected, while the other allows unlimited expansion.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can craft a malicious XML document containing a large number of numeric character references such as A (which represents the ASCII character 'A'). When the parser processes this payload, each reference is expanded without being counted against the configured limits.
For example, an XML document containing 1 million A references would force the parser to:
- Allocate memory for each expanded character
- Consume significant CPU cycles during the expansion process
- Potentially exhaust system resources and crash the process
The attack is particularly dangerous because it bypasses explicit security configurations that developers may have implemented based on the previous CVE-2026-26278 advisory.
// Security patch in src/xmlparser/OrderedObjParser.js
// This patch adds entity expansion checking for lastEntities and HTML entities
}
// Replace DOCTYPE entities
- for (let entityName in this.docTypeEntities) {
+ for (const entityName of Object.keys(this.docTypeEntities)) {
const entity = this.docTypeEntities[entityName];
const matches = val.match(entity.regx);
Source: GitHub Commit bd26122
Detection Methods for CVE-2026-33036
Indicators of Compromise
- Unusually large XML payloads containing repetitive numeric character references (e.g., A, A)
- Sudden spikes in memory consumption when processing XML input
- Application crashes or unresponsive states during XML parsing operations
- Error logs indicating memory allocation failures or process termination
Detection Strategies
- Implement application-level monitoring for XML payload sizes and patterns before parsing
- Monitor Node.js process memory usage for sudden increases during XML processing operations
- Use Web Application Firewalls (WAF) to detect and block XML payloads with excessive entity references
- Deploy runtime application self-protection (RASP) solutions to detect resource exhaustion attacks
Monitoring Recommendations
- Set up alerting for Node.js processes exceeding memory thresholds during XML parsing
- Monitor request processing times for endpoints that accept XML input
- Track the ratio of XML payload size to processing time to identify potential DoS attempts
- Implement logging for XML parsing operations to aid in forensic analysis
How to Mitigate CVE-2026-33036
Immediate Actions Required
- Upgrade fast-xml-parser to version 5.5.6 or later immediately
- Review all applications and services using fast-xml-parser to identify affected deployments
- Implement input validation to limit XML payload sizes at the application boundary
- Consider temporarily disabling XML processing endpoints if immediate patching is not possible
Patch Information
The vulnerability has been fixed in fast-xml-parser version 5.5.6. The patch modifies the entity replacement logic in OrderedObjParser.js to include expansion counting for all entity types, including numeric character references and standard XML entities.
For detailed patch information, refer to:
Workarounds
- Implement pre-parsing validation to reject XML payloads containing excessive numeric character references
- Use a reverse proxy or WAF to filter requests with suspicious XML patterns before they reach the application
- Apply rate limiting on endpoints that process XML to reduce the impact of DoS attempts
- Consider implementing resource limits at the container or process level to prevent complete system resource exhaustion
# Update fast-xml-parser to the patched version
npm update fast-xml-parser@5.5.6
# Or explicitly install the fixed version
npm install fast-xml-parser@5.5.6 --save
# Verify the installed version
npm list fast-xml-parser
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
