logo

Database

Improper resource allocation - Buffer overflow In node-webfont

Description

fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Impact

Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input

[{
    'foo': [
        { 'bar': [{ '@_V': 'baz' }] }
    ]
}]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of vulnerability is it? Who is impacted?

Patches

Yes in 5.3.8

Workarounds

Use XML builder with preserveOrder:false or check the input data before passing to builder.

References

Are there any links users can visit to find out more?

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-279422. NVD-2026-279423. OSV-DEBIAN-2026-279424. OSV-2026-279425. GHSA-fj3w-jwp8-x2g36. GCVE-2026-279427. SECURITY-TRACKER-CVE-2026-27942

References

1. https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g32. https://github.com/NaturalIntelligence/fast-xml-parser/pull/7913. https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-ZGSSN – Vulnerability | Fluid Attacks Database