Fast Xml Parser
CVE-2023-34104
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 85 npm packages depend on fast-xml-parser (19 direct, 66 indirect)
Ecosystem-wide dependent count for version 4.1.3.
DescriptionNVD
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false option.
AnalysisAI
fast-xml-parser is an open source, pure javascript xml parser. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Technical ContextAI
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the processEntities: false option. Affected products include: Naturalintelligence Fast-Xml-Parser.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
More in Fast Xml Parser
View allReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.
Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers
Fast-xml-parser versions 5.0.9 through 5.3.3 crash when processing XML containing out-of-range numeric entity code point
fast-xml-parser is an open source, pure javascript xml parser. Rated high severity (CVSS 7.5), this vulnerability is rem
fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. Rated medium severity (CVSS 6.5), this vulnerabil
Stack overflow denial of service in fast-xml-parser versions prior to 5.3.8 occurs when the XML builder is used with the
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today