Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java.

This issue affects tis: before v4.3.0.
Published: 2026-01-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Infinite Loop)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a loop with an unreachable exit condition in the ChangeDomainAction module of datavane/tis. This causes an infinite loop when the affected action is executed, which can exhaust CPU or memory resources and make the application unresponsive. The weakness is categorized as CWE-835, indicating that the program never reaches a termination point during normal operation. The primary impact is a denial of service that can affect all users of the affected instance.

Affected Systems

The circular loop originates in the datavane/tis application, specifically before version 4.3.0. Any installations of datavane:tis older than 4.3.0 are susceptible. The affected module resides in the tis-console/src/main/java/com/qlangtech/tis/runtime/module/action directories and is associated with the ChangeDomainAction.Java source file.

Risk and Exploitability

The CVSS score for this issue is 10, indicating critical severity. The EPSS score is less than 1%, meaning the likelihood of exploitation is very low at present, and it is not listed in the CISA KEV catalog. The likely attack vector is a user action that triggers the domain change logic, such as submitting a request to the change domain endpoint. An attacker who can invoke this action could force the application into an endless loop, causing service disruption. The low EPSS score suggests that exploitation may not yet be observed in the wild, but the critical severity requires immediate attention.

Generated by OpenCVE AI on April 18, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to datavane/tis version 4.3.0 or later to remove the infinite loop code
  • If an upgrade is not immediately possible, disable or block access to the ChangeDomainAction endpoint to prevent execution of the vulnerable loop
  • Apply a temporary code patch that adds a safe termination condition in the loop before deploying the official update

Generated by OpenCVE AI on April 18, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/datavane/tis/pull/444 cve-icon cve-icon
History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Datavane
Datavane tis
Vendors & Products Datavane
Datavane tis

Tue, 27 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java. This issue affects tis: before v4.3.0.
Title Cookie Security Vulnerabilities in datavane/tis
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/S:P/AU:Y/R:U/V:C/RE:M/U:Red'}

Subscriptions

Datavane Tis
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T20:39:27.760Z

Reserved: 2026-01-27T08:48:56.893Z

Link: CVE-2026-24816

cve-icon Vulnrichment

Updated: 2026-01-27T20:39:24.032Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:52.110

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses