quick-xml is vulnerable to Denial of Service (DoS)
75
High Risk
quick-xml rejects a start tag that repeats an attribute name when iterating BytesStart::attributes() with the default with_checks(true). For each attribute yielded, the iterator compared the new name against every previously seen name with a linear scan, so a tag with N distinct attribute names cost O(N squared) byte comparisons with no bound on N. Parsing untrusted XML that contains a single start tag with a large number of attributes forces CPU time quadratic in the attribute count, pinning a parsing thread for minutes to hours without exhausting memory or crashing, and namespace-aware NsReader reading reaches the same check internally. The fix keeps the linear scan for tags with few attributes and adds an O(1) hash pre-filter above a threshold, making the whole check linear while preserving the reported duplicate positions.
You are affected if you are using a version that falls within the vulnerable range and parse untrusted XML while iterating start-tag attributes with the default duplicate check enabled, including via NsReader.
quick-xml is vulnerable to Denial of Service (DoS) in versions 0.2.0 - 0.40.1.
Upgrade the quick-xml library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant