CVE-2026-27942: fast-xml-parser has stack overflow in XMLBuilder with preserveOrder
(updated )
Application crashes with stack overflow when user use XML builder with prserveOrder:true for following or similar input
[{
'foo': [
{ 'bar': [{ '@_V': 'baz' }] }
]
}]
Cause: arrToStr was not validating if the input is an array or a string and treating all non-array values as text content.
What kind of vulnerability is it? Who is impacted?
References
- github.com/NaturalIntelligence/fast-xml-parser
- github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a
- github.com/NaturalIntelligence/fast-xml-parser/pull/791
- github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3
- github.com/advisories/GHSA-fj3w-jwp8-x2g3
- nvd.nist.gov/vuln/detail/CVE-2026-27942
Code Behaviors & Features
Detect and mitigate CVE-2026-27942 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →