Intel

AIKIDO-2026-371823

quick-xml is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

75

High Risk

This Affects:

RUSTquick-xml
0.2.0 - 0.40.1
Fixed in 0.41.0
Are you affected? Scan for Free

TL;DR

quick-xml rejects a start tag that repeats an attribute name when iterating BytesStart::attributes() with the default with_checks(true). For each attribute yielded, the iterator compared the new name against every previously seen name with a linear scan, so a tag with N distinct attribute names cost O(N squared) byte comparisons with no bound on N. Parsing untrusted XML that contains a single start tag with a large number of attributes forces CPU time quadratic in the attribute count, pinning a parsing thread for minutes to hours without exhausting memory or crashing, and namespace-aware NsReader reading reaches the same check internally. The fix keeps the linear scan for tags with few attributes and adds an O(1) hash pre-filter above a threshold, making the whole check linear while preserving the reported duplicate positions.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and parse untrusted XML while iterating start-tag attributes with the default duplicate check enabled, including via NsReader.

Background info

quick-xml is vulnerable to Denial of Service (DoS) in versions 0.2.0 - 0.40.1.

How to fix this

Upgrade the quick-xml library to the patch version.