The vulnerability CVE-2026-33036 affects the fast-xml-parser library developed by NaturalIntelligence, specifically versions from 4.0.0-beta.3 up to 5.5.5. This library is used to parse XML data into JavaScript objects without relying on native C/C++ libraries or callbacks, making it popular in JavaScript environments. The root cause lies in improper restriction of recursive entity references within Document Type Definitions (DTDs), classified under CWE-776. Although previous fixes (CVE-2026-26278) introduced limits such as maxTotalExpansions and maxExpandedLength to prevent XML entity expansion attacks, this vulnerability bypasses those protections by exploiting numeric character references (e.g., A) and standard XML entities. The function replaceEntitiesValue() in OrderedObjParser.js enforces expansion counting only on entities defined in the DOCTYPE, but the lastEntities loop that processes numeric and standard entities does not count expansions. An attacker can craft XML input containing a large number (e.g., 1 million) of numeric character references, causing the parser to allocate approximately 147MB of memory and consume significant CPU resources. This results in a denial of service by crashing or severely degrading the performance of the application using the parser. The vulnerability can be triggered remotely without authentication or user interaction by submitting malicious XML data to any service or application that uses the affected fast-xml-parser versions. The issue was addressed and fixed in version 5.5.6 by ensuring that all entity expansions, including numeric and standard entities, are properly counted and limited.

This vulnerability poses a significant risk to any organization using the affected versions of fast-xml-parser in their software stack, especially those processing untrusted XML input. Exploitation leads to denial of service conditions by exhausting memory and CPU resources, potentially causing application crashes or system instability. This can disrupt critical services, degrade user experience, and increase operational costs due to downtime and recovery efforts. Since the attack requires no authentication or user interaction, it can be exploited remotely by attackers sending crafted XML payloads. This makes internet-facing services that parse XML particularly vulnerable. The impact is primarily on availability, with no direct confidentiality or integrity compromise reported. However, denial of service can indirectly affect business continuity and trust. Organizations relying on fast-xml-parser in web applications, APIs, or backend services should consider this vulnerability a high priority for remediation to avoid service interruptions.

The primary mitigation is to upgrade fast-xml-parser to version 5.5.6 or later, where the vulnerability has been fixed. For organizations unable to upgrade immediately, consider implementing input validation and filtering to reject XML inputs containing excessive numeric character references or suspicious entity expansions. Employ runtime resource limits such as memory and CPU usage caps on processes handling XML parsing to reduce the impact of potential exploitation. Use web application firewalls (WAFs) or intrusion prevention systems (IPS) to detect and block XML entity expansion attack patterns. Additionally, review and configure XML parser settings to enforce strict entity expansion limits and disable DTD processing if not required. Monitoring application logs for unusual spikes in resource consumption during XML parsing can help detect attempted exploitation. Finally, educate developers and security teams about this vulnerability to ensure timely patching and secure coding practices.