VulnerableCode Package Details - pkg:npm/fast-xml-parser@5.5.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-c46j-zfbx-eyc1 Aliases: CVE-2026-33349 GHSA-jp2q-39xq-3w4g	fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.	5.5.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fbce-cxkc-3ube Aliases: CVE-2026-41650 GHSA-gh4j-gqv2-49f6		5.7.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-c46j-zfbx-eyc1
Aliases:
CVE-2026-33349
GHSA-jp2q-39xq-3w4g

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.

5.5.7
Affected by 1 other vulnerability.

VCID-fbce-cxkc-3ube
Aliases:
CVE-2026-41650
GHSA-gh4j-gqv2-49f6

5.7.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9n1q-kn2a-xfca		CVE-2026-33036 GHSA-8gc5-j5rx-235r

Vulnerability

Summary

Aliases

VCID-9n1q-kn2a-xfca

CVE-2026-33036
GHSA-8gc5-j5rx-235r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:28:04.047613+00:00	GHSA Importer	Fixing	VCID-9n1q-kn2a-xfca	https://github.com/advisories/GHSA-8gc5-j5rx-235r	38.6.0
2026-06-12T22:12:02.552132+00:00	GitLab Importer	Affected by	VCID-fbce-cxkc-3ube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-41650.yml	38.6.0
2026-06-12T21:33:18.561822+00:00	GitLab Importer	Affected by	VCID-c46j-zfbx-eyc1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-33349.yml	38.6.0
2026-06-12T21:30:53.931274+00:00	GitLab Importer	Fixing	VCID-9n1q-kn2a-xfca	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/fast-xml-parser/CVE-2026-33036.yml	38.6.0
2026-06-12T07:49:37.929296+00:00	GithubOSV Importer	Fixing	VCID-9n1q-kn2a-xfca	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8gc5-j5rx-235r/GHSA-8gc5-j5rx-235r.json	38.6.0