Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Description

The DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits.

Recommendation

Update the fast-xml-parser package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0, < 5.5.7

  >= 4.0.0-beta.3, < 4.5.5**

• Patched version(s): **5.5.7

  4.5.5**

References

• GHSA-jp2q-39xq-3w4g
• CVE-2026-33349
• CWE-1284
• CAPEC-310
• OWASP 2021-A6

Related Issues

• fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026- - CVE-2026-33036
• fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) - CVE-2026-26278
• fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
• fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters - CVE-2026-41650

You might also like:

How to Secure your NodeJs Express Javascript Application - part 2

SmartScanner 2.3: Smarter JavaScript Detection, Faster Scans, and Powerful CLI Enhancements

How to Secure your NodeJs Express Javascript Application - part 1

Tags:

npm

fast-xml-parser