Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
Fast-XML-Parser Crashes with Certain XML Input
CVE-2026-27942
GHSA-fj3w-jwp8-x2g3
GHSA-fj3w-jwp8-x2g3
Summary
Fast-XML-Parser can crash if it receives specific XML data, which would cause the application to become unresponsive. This issue can be avoided by updating to the latest version (5.3.8) or by using a different XML parsing option. In the meantime, you can work around the issue by disabling the 'preserveOrder' feature or checking the input data before parsing it.
What to do
- Update amitgupta fast-xml-parser to version 5.3.8.
- Update amitgupta fast-xml-parser to version 4.5.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| amitgupta | fast-xml-parser | > 5.0.0 , <= 5.3.8 | 5.3.8 |
| amitgupta | fast-xml-parser | <= 4.5.4 | 4.5.4 |
| naturalintelligence | fast-xml-parser | <= 4.5.4 | – |
| naturalintelligence | fast-xml-parser | > 5.0.0 , <= 5.3.8 | – |
| amitgupta | fast-xml-parser | > 4.0.0-beta.0 , <= 4.5.4 | 4.5.4 |
Original title
fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
Original description
### Impact
Application crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input
```
[{
'foo': [
{ 'bar': [{ '@_V': 'baz' }] }
]
}]
```
Cause: `arrToStr` was not validating if the input is an array or a string and treating all non-array values as text content.
_What kind of vulnerability is it? Who is impacted?_
### Patches
Yes in 5.3.8
### Workarounds
Use XML builder with `preserveOrder:false` or check the input data before passing to builder.
### References
[_Are there any links users can visit to find out more?_](https://github.com/NaturalIntelligence/fast-xml-parser/pull/791)
Application crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input
```
[{
'foo': [
{ 'bar': [{ '@_V': 'baz' }] }
]
}]
```
Cause: `arrToStr` was not validating if the input is an array or a string and treating all non-array values as text content.
_What kind of vulnerability is it? Who is impacted?_
### Patches
Yes in 5.3.8
### Workarounds
Use XML builder with `preserveOrder:false` or check the input data before passing to builder.
### References
[_Are there any links users can visit to find out more?_](https://github.com/NaturalIntelligence/fast-xml-parser/pull/791)
nvd CVSS3.1
7.5
nvd CVSS4.0
2.7
Vulnerability type
CWE-120
Classic Buffer Overflow
- https://nvd.nist.gov/vuln/detail/CVE-2026-27942
- https://github.com/advisories/GHSA-fj3w-jwp8-x2g3
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f1498629... Patch
- https://github.com/NaturalIntelligence/fast-xml-parser/pull/791 Issue Tracking Patch
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-... Vendor Advisory
- https://github.com/NaturalIntelligence/fast-xml-parser Product
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026