CVE-2023-34104
Denial of Service vulnerability in fast-xml-parser (npm)
What is CVE-2023-34104 About?
The 'fast-xml-parser' library (versions 6.10.0-6.11.3 and 7.0.0-7.2.3) is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This occurs because the parser allows special characters in entity names, which are then used to create a regex, leading to a performance degradation. An attacker can craft a malicious XML with entity names causing the parser to stall indefinitely, resulting in a denial of service.
Affected Software
Technical Details
The vulnerability in 'fast-xml-parser' stems from its handling of entity names during XML parsing. Specifically, the parser allows special characters within entity names without proper escaping or sanitization. When the parser attempts to resolve and replace these entities in the XML body, it constructs a regular expression (regex) using the user-provided entity name. An attacker can craft an entity name containing sequences of special characters that, when incorporated into a regex, become highly inefficient (e.g., using backtracking or catastrophic backtracking patterns). This 'intentionally bad performing regex' causes the regex engine to consume excessive CPU resources and time when matching, leading to a computational bottleneck. As a result, the parser stalls indefinitely while processing the malicious XML, effectively creating a Denial of Service condition for the application using the library.
What is the Impact of CVE-2023-34104?
Successful exploitation may allow attackers to cause a denial of service, rendering services or applications utilizing the vulnerable parser unavailable to legitimate users.
What is the Exploitability of CVE-2023-34104?
Exploitation requires the ability to provide untrusted XML input to an application using 'fast-xml-parser'. The complexity for crafting the malicious entity name is moderate, requiring knowledge of regex vulnerabilities like ReDoS patterns. There are no authentication or privilege requirements beyond the ability to submit XML to the application. This is typically a remote vulnerability if the XML input can be provided over a network. The primary special condition is that the application must be configured to process entities (processEntities: true). The likelihood of exploitation increases if the application processes untrusted XML from external sources and does not have robust input validation mechanisms in place.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-34104?
Available Upgrade Options
- fast-xml-parser
- >4.1.3, <4.2.4 → Upgrade to 4.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-6w63-h3fj-q4vw
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/a4bdced80369892ee413bf08e28b78795a2b0d5b
- https://github.com/NaturalIntelligence/fast-xml-parser
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
- https://nvd.nist.gov/vuln/detail/CVE-2023-34104
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/a4bdced80369892ee413bf08e28b78795a2b0d5b
What are Similar Vulnerabilities to CVE-2023-34104?
Similar Vulnerabilities: CVE-2022-25878 , CVE-2023-32695 , CVE-2023-28867 , CVE-2021-23358 , CVE-2021-3783
