High-Severity DoS Flaw Hits 46 Million ‘fast-xml-parser’ Downloads

If your Node.js application parses XML, you might want to check your dependencies immediately. A critical Denial of Service (DoS) vulnerability has been discovered in fast-xml-parser, a wildly popular npm package that boasts nearly 46 million downloads every single week.

Tracked as CVE-2026-26278 with a CVSS score of 7.5, the flaw allows attackers to completely freeze an application’s event loop using a payload no larger than a few kilobytes.

The vulnerability lies in how the parser handles DOCTYPE entity expansion. Traditionally, XML parsers are vulnerable to the infamous “Billion Laughs” attack, where nested entities expand exponentially until the system runs out of memory.

The developers of fast-xml-parser attempted to prevent this by adding a check in DocTypeReader.js that rejects entities referencing other entities (by looking for the & character inside entity values). While this successfully blocks classic Billion Laughs payloads, it misses a much simpler, brute-force variant.

If an attacker defines one massive entity containing only raw text—meaning no & characters—and then references that entity thousands of times, the parser happily processes it.

According to the security advisory, “There is no limit on how large the expanded result can become, or how many replacements are allowed”. The root cause is found within the replace EntitiesValue() function in OrderedObjParser.js, which runs val.replace() in a continuous loop without any checks on execution cost or total output size.

Because Node.js operates on a single-threaded event loop, this parsing flaw is devastating.

“The moment the parser starts expanding entities, the event loop is blocked,” the advisory warns. “While this is happening, the server can’t handle any other requests”.

During testing, researchers found that a maliciously crafted XML payload of just a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, causing all other legitimate requests to time out.

Any service utilizing fast-xml-parser to parse user-supplied XML under the default configuration is exposed to this straightforward DoS attack.

• Affected Versions: All versions >=4.1.3 and <=5.3.5.
• Patched Version: The maintainers have released version 5.3.6 to resolve the issue.

Administrators and developers are strongly urged to update their packages immediately. If upgrading is not immediately possible, the advisory offers a reliable workaround: users can disable DOCTYPE parsing altogether by setting the processEntities: false option in their parser configuration.

Related Posts:

• Microsoft is working to fix Chrome freezing issues in Windows 10 April Update
• Google Chrome crashed in Windows 10 April 2018 Update
• Four big banks in Australia are freezing bitcoin account