The vulnerability CVE-2026-33349 affects the fast-xml-parser library by NaturalIntelligence, specifically versions from 4.0.0-beta.3 up to but not including 5.5.7. The root cause lies in the DocTypeReader component, which processes XML input and enforces limits on entity expansion through maxEntityCount and maxEntitySize parameters. These parameters are intended to prevent excessive entity expansion that can lead to denial of service. However, the implementation uses JavaScript truthy/falsy evaluations to check these limits. When a developer sets either limit explicitly to zero (0), intending to disable entity expansion or restrict entity size to zero bytes, the falsy nature of zero causes the guard conditions to short-circuit and skip the limit enforcement entirely. This logical flaw allows an attacker who can supply XML input to the application to craft XML with unbounded entity expansion. Such XML payloads can cause the parser to consume excessive memory and CPU resources, leading to memory exhaustion and denial of service. The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires the ability to send XML input to the vulnerable parser, which is typically over a network. No authentication or user interaction is needed, but the attack complexity is high due to the need to craft specific XML payloads. The issue was publicly disclosed on March 24, 2026, and patched in version 5.5.7 of fast-xml-parser. No known exploits have been reported in the wild to date.

This vulnerability primarily impacts the availability of applications using the affected versions of fast-xml-parser. Attackers can cause denial of service by triggering unbounded XML entity expansion, leading to memory exhaustion and potential application crashes or service outages. Organizations relying on fast-xml-parser for XML processing in web services, APIs, or backend systems may experience service disruptions, affecting business continuity and user experience. The impact is particularly significant for internet-facing services that accept XML input from untrusted sources. While the vulnerability does not compromise data confidentiality or integrity, the resulting downtime can have cascading effects on dependent systems and services. Additionally, denial of service attacks can be used as a smokescreen for other malicious activities or to degrade the availability of critical infrastructure. Given the widespread use of JavaScript and Node.js in modern web applications, the scope of affected systems is broad, especially in environments where XML processing is integral. The medium CVSS score (5.9) reflects the moderate ease of exploitation combined with a significant impact on availability.

To mitigate this vulnerability, organizations should upgrade fast-xml-parser to version 5.5.7 or later, where the issue is patched. If immediate upgrading is not feasible, developers should avoid setting maxEntityCount or maxEntitySize to zero, as this disables the protective limits. Instead, configure these parameters with positive integer values that effectively limit entity expansion to safe thresholds. Additionally, implement input validation and sanitization to reject XML inputs containing potentially malicious entity expansions before parsing. Employ runtime resource monitoring and limits (e.g., memory and CPU usage caps) on services processing XML to detect and mitigate resource exhaustion attacks. Consider using alternative XML parsers with robust entity expansion protections if fast-xml-parser cannot be updated promptly. Finally, restrict network access to XML processing endpoints to trusted sources where possible and monitor logs for unusual XML payloads indicative of entity expansion attacks.