fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
References
Configurations
Configuration 1 (hide)
|
History
02 Mar 2026, 14:54
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:* | |
| First Time |
Naturalintelligence
Naturalintelligence fast-xml-parser |
27 Feb 2026, 17:14
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a - Patch | |
| References | () https://github.com/NaturalIntelligence/fast-xml-parser/pull/791 - Issue Tracking, Patch | |
| References | () https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3 - Vendor Advisory | |
| First Time |
Fast-xml-parser Project
Fast-xml-parser Project fast-xml-parser |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CPE | cpe:2.3:a:fast-xml-parser_project:fast-xml-parser:*:*:*:*:*:node.js:*:* |
26 Feb 2026, 02:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-26 02:16
Updated : 2026-03-02 14:54
NVD link : CVE-2026-27942
Mitre link : CVE-2026-27942
CVE.ORG link : CVE-2026-27942
JSON object : View
Products Affected
naturalintelligence
- fast-xml-parser
CWE
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')