MEDIUM · CVSS 5.3
CVE-2024-41818 — fast-xml-parser ReDoS
A ReDoS in fast-xml-parser allowed crafted XML input to hang the parser, DoS'ing any Node.js service parsing untrusted XML.
Affects
- fast-xml-parser < 4.4.1
What an attacker does
An attacker POSTs crafted XML to any endpoint that uses fast-xml-parser. The regex engine backtracks catastrophically; the event loop blocks.
How to detect
`npm ls fast-xml-parser`.
How to fix
Upgrade fast-xml-parser to 4.4.1+.
How Securie catches it
Securie's transitive-dep scanner catches this + flags user-controlled XML sinks.