AIKIDO-2026-768129
ultimate-sitemap-parser is vulnerable to Denial of Service (DoS)
75
High Risk
This Affects:
ultimate-sitemap-parserTL;DR
ultimate-sitemap-parser enforces its 100 MiB sitemap size limit only on the compressed response body, not on the decompressed content. As a result, a malicious server can return a small .gz sitemap that passes the network-size check but expands far beyond the intended limit once decompressed in memory. This allows an attacker to trigger excessive memory consumption, potentially causing process instability, denial of service, or crashes in applications that parse sitemaps from untrusted sources. An attacker could exploit this by hosting a gzip-compressed sitemap bomb and inducing the target application to call sitemap_tree_for_homepage() on the attacker-controlled site, causing oversized decompression in memory without any output-size enforcement.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ultimate-sitemap-parser is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 1.8.0.
How to fix this
Upgrade the ultimate-sitemap-parser library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant