GHSA-fj3w-jwp8-x2g3

Опубликовано: 26 фев. 2026

Источник: github

Github: Прошло ревью

CVSS4: 2.7

Описание

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input

[{ 'foo': [ { 'bar': [{ '@_V': 'baz' }] } ] }]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of vulnerability is it? Who is impacted?

Patches

Yes in 5.3.8

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

References

Are there any links users can visit to find out more?

Ссылки

Пакеты

Наименование

fast-xml-parser

npm

Затронутые версииВерсия исправления

>= 5.0.0, < 5.3.8

5.3.8

Наименование

fast-xml-parser

npm

Затронутые версииВерсия исправления

>= 4.0.0-beta.0, < 4.5.4

4.5.4

EPSS

Процентиль: 15%

0.0005

Низкий

2.7 Low

CVSS4

CVE ID

CVE-2026-27942

Дефекты

CWE-120

Связанные уязвимости

CVE-2026-27942

CVSS3: 7.5

ubuntu

30 дней назад

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.