{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-24T19:35:47Z",
  "bugzilla" : {
    "description" : "fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling",
    "id" : "2450909",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2450909"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1284",
  "details" : [ "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.", "A flaw was found in fast-xml-parser. A remote attacker can exploit this vulnerability by providing specially crafted XML input to an application using the affected library. The DocTypeReader component incorrectly processes configuration limits for entity counts and sizes when these limits are explicitly set to zero, bypassing intended restrictions. This oversight allows for unbounded entity expansion, consuming excessive memory and leading to a Denial of Service (DoS) condition, which makes the application unavailable to legitimate users." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.10",
    "release_date" : "2026-06-09T00:00:00Z",
    "advisory" : "RHSA-2026:24841",
    "cpe" : "cpe:/a:redhat:rhdh:1.10::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1780930740"
  } ],
  "package_state" : [ {
    "product_name" : "Migration Toolkit for Applications 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mta/mta-ui-rhel9",
    "cpe" : "cpe:/a:redhat:migration_toolkit_applications:8"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Fix deferred",
    "package_name" : "apicurio/apicurio-registry-ui-rhel8",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Fix deferred",
    "package_name" : "apicurio/apicurio-registry-ui-rhel9",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Fix deferred",
    "package_name" : "rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Fix deferred",
    "package_name" : "rhoai/odh-mlflow-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Fix deferred",
    "package_name" : "odf4/mcg-core-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Fix deferred",
    "package_name" : "odf4/ocs-client-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Fix deferred",
    "package_name" : "odf4/odf-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat Openshift Data Foundation 4",
    "fix_state" : "Fix deferred",
    "package_name" : "odf4/odf-multicluster-console-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-gitops-1/argocd-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-gitops-1/argocd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Fix deferred",
    "package_name" : "container-native-virtualization/kubevirt-console-plugin",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Fix deferred",
    "package_name" : "container-native-virtualization/kubevirt-console-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "satellite/iop-host-inventory-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Fix deferred",
    "package_name" : "satellite/iop-vulnerability-frontend-rhel9",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33349\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33349\nhttps://github.com/NaturalIntelligence/fast-xml-parser/commit/239b64aa1fc5c5455ddebbbb54a187eb68c9fdb7\nhttps://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jp2q-39xq-3w4g" ],
  "name" : "CVE-2026-33349",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}