DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27942: Infinite Loops & Broken Dreams: The fast-xml-parser Stack Exhaustion

#security #cve #cybersecurity

Infinite Loops & Broken Dreams: The fast-xml-parser Stack Exhaustion

Vulnerability ID: CVE-2026-27942
CVSS Score: 2.7
Published: 2026-02-26

In the world of JavaScript, trusting your input types is a rookie mistake that even seasoned developers make. CVE-2026-27942 is a classic example of this hubris: a Denial of Service vulnerability in the ubiquitous fast-xml-parser library. By feeding the parser a specific data structure when the preserveOrder option is enabled, an attacker can trick the library into an infinite recursive loop. This consumes the entire call stack, crashing the Node.js process instantly. It's a low-severity issue on paper, but a high-annoyance issue for anyone relying on this library for stable uptime.

TL;DR

Uncontrolled recursion in XMLBuilder allows attackers to crash Node.js applications by supplying malformed input objects. Fixed in version 5.3.8.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Stack Exhaustion / Uncontrolled Recursion
  • CWE ID: CWE-120 (Buffer Copy without Checking Size of Input)
  • CVSS Score: 2.7 (Low)
  • Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L
  • EPSS Score: 0.00040 (11.95%)
  • Exploit Status: PoC Available
  • Platform: Node.js / JavaScript

Affected Systems

  • Node.js applications using fast-xml-parser
  • Data transformation services (JSON to XML)
  • SOAP integration layers
  • fast-xml-parser: < 5.3.8 (Fixed in: 5.3.8)

Code Analysis

Commit: c13a961

Fix: check if input is array before iteration to prevent recursion loop

diff --git a/src/xmlbuilder/orderedJs2Xml.js b/src/xmlbuilder/orderedJs2Xml.js
index ...
--- a/src/xmlbuilder/orderedJs2Xml.js
+++ b/src/xmlbuilder/orderedJs2Xml.js
@@ -10,6 +10,14 @@
 function arrToStr(arr, options, jPath, indentation) {
     let xmlStr = "";
     let isPreviousElementTag = false;
+
+    if (!Array.isArray(arr)) {
+        if (arr !== undefined && arr !== null) {
+            let text = arr.toString();
+            text = replaceEntitiesValue(text, options);
+            return text;
+        }
+        return "";
+    }

     for (let i = 0; i < arr.length; i++) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue: Original issue report demonstrating stack overflow with preserveOrder

Mitigation Strategies

  • Upgrade to patched version
  • Disable preserveOrder option
  • Input schema validation

Remediation Steps:

  1. Check your package.json for fast-xml-parser version.
  2. Run npm install fast-xml-parser@latest or yarn upgrade fast-xml-parser.
  3. Verify the installed version is >= 5.3.8.
  4. If upgrading is impossible, locate new XMLBuilder calls and set preserveOrder: false.

References

Read the full report for CVE-2026-27942 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)