Buffer Overflow Affecting fast-xml-parser package, versions <4.5.4>=5.0.0 <5.3.8

Q: How to fix?

Upgrade fast-xml-parser to version 4.5.4, 5.3.8 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-FASTXMLPARSER-15353391
published26 Feb 2026
disclosed26 Feb 2026
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 26 Feb 2026

NewCVE-2026-27942 (opens in a new tab) CWE-120 (opens in a new tab)

How to fix?

Upgrade fast-xml-parser to version 4.5.4, 5.3.8 or higher.

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to Buffer Overflow via the XMLBuilder when preserveOrder:true is set. An attacker can cause the application to crash by providing specially crafted input data.

Workaround

This vulnerability can be mitigated by using preserveOrder:false or by validating input data before passing it to the builder.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None