Intel

AIKIDO-2026-176217

quick-xml is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource Consumption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

25

Low Risk

This Affects:

RUSTquick-xml
0.24.0 - 0.40.1
Fixed in 0.41.0
Are you affected? Scan for Free

TL;DR

quick-xml resolves XML namespaces by calling NamespaceResolver::push for every start or empty element in NsReader before the event is returned to the caller. push allocates one namespace binding, plus prefix and value bytes, for every xmlns or xmlns:* declaration on the tag with no upper bound. A start tag carrying a large number of namespace declarations forces unbounded heap allocation that the consumer cannot limit, letting untrusted input exhaust memory and crash the process. The fix caps declarations per element at a configurable default of 256 and returns a TooManyDeclarations error instead of allocating past the limit.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use NsReader namespace-aware reading on untrusted XML input.

Background info

quick-xml is vulnerable to Uncontrolled Resource Consumption in versions 0.24.0 - 0.40.1.

How to fix this

Upgrade the quick-xml library to the patch version.