MEDIUM · CVSS 5.3
CVE-2024-41818 — fast-xml-parser ReDoS
A ReDoS in fast-xml-parser allowed crafted XML input to hang the parser, DoS'ing any Node.js service parsing untrusted XML.
Affects
- fast-xml-parser < 4.4.1
What an attacker does
An attacker POSTs crafted XML to any endpoint that uses fast-xml-parser. The regex engine backtracks catastrophically; the event loop blocks.
How to detect
`npm ls fast-xml-parser`.
How to fix
Upgrade fast-xml-parser to 4.4.1+.
Securie findingmedium · CVSS 5.3
CVE-2024-41818How Securie catches CVE-2024-41818
Securie's transitive-dependency specialist catches this + flags user-controlled XML sinks.
Scan my repo for CVE-2024-41818 →Securie reviews every PR · proves real issues · opens verified fix PRs