CVE-2026-27942: fast-xml-parser has stack overflow in XMLBuilder with preserveOrder

Published Feb 26, 2026
·
Updated

Impact Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input:

[{ 'foo': [ { 'bar': [{ '@V': 'baz' }] } ] }]

Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content. What kind of vulnerability is it? Who is impacted?

Patches Yes, in 5.3.8 and 4.5.4.

Workarounds Use XML builder with preserveOrder:false or check the input data before passing to builder.

Other sources

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with preserveOrder:true. Version 5.3.8 fixes the issue. As a workaround, use XML builder with preserveOrder:false or check the input data before passing to builder.

MITRE

Affected Software

5 affected componentsFixes available
npm/fast-xml-parser<5.3.8
NaturalIntelligence fast-xml-parser<4.5.4
NaturalIntelligence fast-xml-parser>=5.0.0<5.3.8
npm/fast-xml-parser<4.5.4
4.5.4
npm/fast-xml-parser>=5.0.0<5.3.8
5.3.8

Remediation

Patch Available

https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a

Patch Available

https://github.com/NaturalIntelligence/fast-xml-parser/pull/791

Event History

Feb 26, 2026
CVE Published
via MITRE·01:22 AM
Data Sourced
via MITRE·01:22 AM
DescriptionWeakness
Data Sourced
via NVD·02:16 AM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·10:33 PM
Data Sourced
via GitHub·10:33 PM
DescriptionWeaknessAffected Software
Jun 28, 58142
Event
via FIRST·03:53 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-27942?

The severity of CVE-2026-27942 is classified as critical due to the potential for application crashes resulting from stack overflow.

2

How do I fix CVE-2026-27942?

To fix CVE-2026-27942, upgrade fast-xml-parser to version 5.3.8 or later.

3

What causes the stack overflow in CVE-2026-27942?

The stack overflow in CVE-2026-27942 is caused by the arrToStr function not handling inputs correctly when preserveOrder is set to true.

4

Which versions of fast-xml-parser are affected by CVE-2026-27942?

CVE-2026-27942 affects fast-xml-parser versions prior to 5.3.8.

5

In what scenarios should I be concerned about CVE-2026-27942?

You should be concerned about CVE-2026-27942 if your application uses fast-xml-parser with XMLBuilder configured with preserveOrder set to true.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203