CVE-2024-41818
HIGHfast-xml-parser >=4.3.5 <4.4.1 - Uncontrolled Resource Consumption via ReDOS in Currency Parser
Title source: llmDescription
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v
Patch x_refsource_misc
https://github.com/NaturalIntelligence/fast-xml-parser/commit/ba5f35e7680468acd7906eaabb2f69e28ed8b2aa
Patch x_refsource_misc
https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164
Issue Tracking x_refsource_misc
https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10
Scores
CVSS v3
7.5
EPSS
0.0083
EPSS Percentile
52.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
CWE-1333
Status
published
Products (3)
fast-xml-parser_project/fast-xml-parser
4.2.4
naturalintelligence/fast-xml-parser
4.2.4
npm/fast-xml-parser
4.3.5 - 4.4.1npm
Published
Jul 29, 2024
Tracked Since
Feb 18, 2026