The vulnerability CVE-2026-33349 affects the fast-xml-parser library, a popular JavaScript-based XML parsing tool that does not rely on C/C++ libraries or callbacks. The root cause is improper validation of the maxEntityCount and maxEntitySize configuration parameters in the DocTypeReader module. These parameters are intended to limit the number and size of XML entities to prevent entity expansion attacks. However, the code uses JavaScript truthy checks to validate these limits. When a developer sets either limit to zero (0) to disable entities or restrict their size to zero bytes, the falsy nature of zero in JavaScript causes the validation to short-circuit and skip the enforcement of these limits. Consequently, an attacker can supply malicious XML input with unbounded entity expansions, leading to excessive memory consumption and denial of service. This vulnerability is classified under CWE-1284 (Improper Validation of Specified Quantity in Input). It affects all versions of fast-xml-parser from 4.0.0-beta.3 up to but not including 5.5.7. The issue was publicly disclosed and patched in version 5.5.7. The CVSS v3.1 base score is 5.9 (medium severity), reflecting a network attack vector, high attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). No known exploits are currently reported in the wild.

This vulnerability can cause denial of service conditions in applications using affected versions of fast-xml-parser by allowing attackers to trigger unbounded XML entity expansion. The memory exhaustion can crash or severely degrade the performance of services processing XML input, potentially leading to downtime or degraded user experience. Since fast-xml-parser is widely used in JavaScript environments for XML processing without native dependencies, many web applications, APIs, and backend services could be impacted. The lack of authentication or user interaction requirements means that any attacker able to send XML input to a vulnerable service can exploit this issue remotely. This could be leveraged as part of a larger attack chain to disrupt critical services, especially those relying on XML data interchange. However, the impact is limited to availability; confidentiality and integrity are not directly affected. The medium severity rating reflects the moderate complexity of exploitation and the limited scope of impact to denial of service only.

The primary mitigation is to upgrade fast-xml-parser to version 5.5.7 or later, where the issue is fixed by proper validation of maxEntityCount and maxEntitySize parameters without relying on truthy/falsy checks. Until upgrading is possible, developers should avoid setting maxEntityCount or maxEntitySize to zero; instead, set them to a positive integer that enforces strict limits on entity expansion. Additionally, application-level input validation can be implemented to detect and reject XML inputs containing excessive or recursive entity definitions before parsing. Employing runtime resource limits (e.g., memory quotas, process timeouts) on XML parsing operations can help mitigate the impact of potential DoS attempts. Monitoring and logging XML parsing errors and resource usage spikes can provide early detection of exploitation attempts. Finally, developers should review XML parsing configurations and ensure that entity expansion features are disabled or tightly controlled according to the application's security requirements.