quick-xml is vulnerable to Uncontrolled Resource Consumption
25
Low Risk
quick-xml resolves XML namespaces by calling NamespaceResolver::push for every start or empty element in NsReader before the event is returned to the caller. push allocates one namespace binding, plus prefix and value bytes, for every xmlns or xmlns:* declaration on the tag with no upper bound. A start tag carrying a large number of namespace declarations forces unbounded heap allocation that the consumer cannot limit, letting untrusted input exhaust memory and crash the process. The fix caps declarations per element at a configurable default of 256 and returns a TooManyDeclarations error instead of allocating past the limit.
You are affected if you are using a version that falls within the vulnerable range and use NsReader namespace-aware reading on untrusted XML input.
quick-xml is vulnerable to Uncontrolled Resource Consumption in versions 0.24.0 - 0.40.1.
Upgrade the quick-xml library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant