{"id":"CVE-2024-41818","summary":"ReDOS at currency parsing fast-xml-parser","details":"fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.","aliases":["GHSA-mpg4-rc92-vx8v"],"modified":"2026-04-02T12:17:41.136305Z","published":"2024-07-29T15:56:38.999Z","related":["CGA-43wc-mpc8-qf49"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41818.json","cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41818.json"},{"type":"ADVISORY","url":"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41818"},{"type":"FIX","url":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/ba5f35e7680468acd7906eaabb2f69e28ed8b2aa"},{"type":"FIX","url":"https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/naturalintelligence/fast-xml-parser","events":[{"introduced":"ba5f35e7680468acd7906eaabb2f69e28ed8b2aa"},{"fixed":"d40e29cc4bbe637d7c95060b44f7a4d275facd01"}]}],"versions":["v4.3.5","v4.3.6","v4.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41818.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}