Fast Xml Parser
Monthly
Stack overflow denial of service in fast-xml-parser versions prior to 5.3.8 occurs when the XML builder is used with the preserveOrder option enabled, causing the application to crash. An attacker can trigger this vulnerability remotely by sending specially crafted XML input, resulting in service unavailability for applications using the affected library. A patch is available in version 5.3.8 and later.
ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.
Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. Upgrade to version 5.3.6 or disable entity processing using the `processEntities: false` option to mitigate the risk.
Fast-xml-parser versions 5.0.9 through 5.3.3 crash when processing XML containing out-of-range numeric entity code points, allowing remote attackers to cause denial of service against applications parsing untrusted XML input. Public exploit code exists for this vulnerability. Applications should upgrade to version 5.3.4 or later to remediate.
Stack overflow denial of service in fast-xml-parser versions prior to 5.3.8 occurs when the XML builder is used with the preserveOrder option enabled, causing the application to crash. An attacker can trigger this vulnerability remotely by sending specially crafted XML input, resulting in service unavailability for applications using the affected library. A patch is available in version 5.3.8 and later.
ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.
Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. Upgrade to version 5.3.6 or disable entity processing using the `processEntities: false` option to mitigate the risk.
Fast-xml-parser versions 5.0.9 through 5.3.3 crash when processing XML containing out-of-range numeric entity code points, allowing remote attackers to cause denial of service against applications parsing untrusted XML input. Public exploit code exists for this vulnerability. Applications should upgrade to version 5.3.4 or later to remediate.