CVE-2026-33036 is a vulnerability classified under CWE-776 (Improper Restriction of Recursive Entity References in DTDs) affecting the fast-xml-parser library developed by NaturalIntelligence. This library is widely used in JavaScript environments to parse XML data without relying on C/C++ libraries or callbacks. The vulnerability exists in versions from 4.0.0-beta.3 up to 5.5.5, where numeric character references (e.g., &#NNN;, &#xHH;) and standard XML entities are not properly accounted for in the entity expansion limits designed to prevent XML entity expansion attacks (a type of denial of service). The parser's function replaceEntitiesValue() enforces expansion limits only on entities defined in the DOCTYPE section, while numeric and standard entities processed in the lastEntities loop bypass these checks entirely. An attacker can exploit this by supplying XML containing a large number (e.g., one million) of numeric character references such as A, which expands to the character 'A'. This causes the parser to allocate approximately 147MB of memory and consume significant CPU resources, potentially crashing the application or service using the parser. The vulnerability does not require any privileges or user interaction to exploit and can be triggered remotely by processing malicious XML input. The issue was addressed and fixed in version 5.5.6 of fast-xml-parser.

The primary impact of CVE-2026-33036 is a denial of service (DoS) condition caused by excessive memory allocation and CPU consumption when processing malicious XML inputs. This can lead to application crashes, service outages, or degraded performance, affecting availability. Since fast-xml-parser is commonly used in web applications, APIs, and backend services that handle XML data, exploitation could disrupt critical business operations, especially in environments processing untrusted XML data. The vulnerability does not affect confidentiality or integrity directly but can indirectly impact system reliability and availability. Organizations relying on fast-xml-parser in production environments may face service interruptions, increased operational costs due to downtime, and potential cascading failures in dependent systems. The ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks or exploitation by remote adversaries. Although no known exploits are reported in the wild yet, the vulnerability's high CVSS score (7.5) and straightforward exploitation method make it a significant threat.

To mitigate CVE-2026-33036, organizations should immediately upgrade fast-xml-parser to version 5.5.6 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict input validation and sanitization to reject XML inputs containing excessive numeric character references or suspicious entity expansions. Employ XML parsing configurations that disable or limit entity expansion features where possible. Monitor application logs and resource usage for unusual spikes in memory or CPU consumption that may indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XML entity expansion attacks. Additionally, conduct code reviews and dependency audits to identify and remediate usage of vulnerable fast-xml-parser versions across all projects. Educate developers and DevOps teams about secure XML parsing practices and the risks of entity expansion vulnerabilities. Finally, maintain up-to-date threat intelligence feeds to stay informed about any emerging exploits targeting this vulnerability.