logo

Database

Asymmetric denial of service - ReDoS In fast-xml-parser

Description

fast-xml-parser vulnerable to Regex Injection via Doctype Entities

Impact

"fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.

Patches

The problem has been resolved in v4.2.4

Workarounds

Avoid using DOCTYPE parsing by processEntities: false option.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-341042. NVD-2023-341043. OSV-2023-341044. GHSA-6w63-h3fj-q4vw5. GCVE-2023-34104

References

1. https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw2. https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c3. https://github.com/NaturalIntelligence/fast-xml-parser/commit/a4bdced80369892ee413bf08e28b78795a2b0d5b

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.