CVE-2026-33036
Published: 20 March 2026
Summary
CVE-2026-33036 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation by updating fast-xml-parser to version 5.5.6 or later to eliminate the entity expansion bypass vulnerability.
Provides denial-of-service protection mechanisms to detect and block resource exhaustion attacks from excessive XML entity expansions like 1M numeric references.
Enforces input validation on XML data to reject or sanitize malicious numeric character references and entities that evade parser limits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct exploitation of XML parser (entity expansion bypass) to exhaust application resources and crash processes, mapping to application/system exploitation for endpoint DoS.
NVD Description
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g.,…
more
maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Deeper analysisAI
CVE-2026-33036 is a vulnerability in the fast-xml-parser JavaScript library, affecting versions 4.0.0-beta.3 through 5.5.5. The issue allows a bypass of entity expansion limits, such as maxTotalExpansions and maxExpandedLength, which were implemented to address CVE-2026-26278. Specifically, numeric character references like &#NNN; or &#xHH; and standard XML entities evade these limits because the replaceEntitiesValue() function in OrderedObjParser.js only enforces expansion counting for DOCTYPE-defined entities, while the lastEntities loop handling numeric and standard entities performs no counting. This results in XML entity expansion denial of service (DoS), with a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-776 (Insufficiently Controlled Recursive Entity Expansion, or XXE).
An attacker can exploit this vulnerability by supplying malicious XML input containing a large number of numeric entity references, such as 1 million instances of A, to any application using the affected fast-xml-parser versions for XML processing from JavaScript objects. No special privileges are required, and exploitation occurs over the network with low complexity. Successful attacks force approximately 147MB of memory allocation and heavy CPU usage, potentially crashing the process even when developers have configured strict entity expansion limits.
The vulnerability has been fixed in fast-xml-parser version 5.5.6, as detailed in the project's security advisory (GHSA-8gc5-j5rx-235r), release notes, and the fixing commit (bd26122c838e6a55e7d7ac49b4ccc01a49999a01). Security practitioners should update to version 5.5.6 or later and review applications parsing untrusted XML input for exposure.
Details
- CWE(s)