Intel

AIKIDO-2026-356729

quick-xml is vulnerable to Denial of Service

Denial of Service Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

39

Low Risk

This Affects:

RUSTquick-xml
0.31.0 - 0.40.0
Fixed in 0.40.1
Are you affected? Scan for Free

TL;DR

The serde deserializer in quick-xml mishandles a DOCTYPE declaration that appears between two text runs inside an element's content. The text-merge step stops at the DOCTYPE instead of treating it as transparent, so two separate text events reach the reader and violate its single-text-run invariant, triggering a reachable unreachable!() panic. An attacker who can supply crafted XML to a deserialization call can abort the parsing thread. The fix treats DOCTYPE as transparent during the text drain so the surrounding text merges into one run.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application deserializes untrusted XML with the serde deserializer.

Background info

quick-xml is vulnerable to Denial of Service in versions 0.31.0 - 0.40.0.

How to fix this

Upgrade the quick-xml library to the patch version.