Description
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
Published: 2026-03-03
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack overflow in Underscore.js functions
Action: Patch Immediately
AI Analysis

Impact

Underscore.js, a widely used utility library for JavaScript, contained a flaw in its _.flatten and _.isEqual functions before version 1.13.8. Both functions recurse without a depth limit, so a deliberately nested data structure can trigger a stack overflow when these functions process the data. The overflow causes the process to terminate or hang, resulting in a denial‑of‑service condition. The weakness corresponds to unchecked loop condition and uncontrolled recursion (CWE‑606, CWE‑770).

Affected Systems

The vulnerability affects all v1.13.8‑earlier releases of the Underscore.js library distributed by jashkenas. Any Node.js or web application that includes a pre‑1.13.8 version of Underscore.js and calls _.flatten or _.isEqual on data supplied by an unauthenticated or untrusted source is at risk. The CVE details list the CPE for underscorejs:underscore and emphasize that the issue is present in all earlier versions.

Risk and Exploitability

With a CVSS base score of 8.2, the flaw is considered high‑severity. The EPSS score of less than 1% indicates that, currently, there is a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the attack scenario requires an attacker to be able to supply deeply nested JSON or equivalent data structures that are fed directly into the vulnerable functions. The effective attack vector is thus remote client input; any exposed API, form, or data ingestion endpoint that calls _.flatten or _.isEqual without input validation can potentially be abused to perform a denial‑of‑service via stack overflow.

Generated by OpenCVE AI on April 16, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Underscore.js library to version 1.13.8 or later, which includes the recursion limit fix.
  • If an upgrade is not immediately feasible, avoid feeding untrusted input to _.flatten or _.isEqual; instead enforce a maximum depth or use a safer alternative function.
  • Implement input validation that rejects or sanitizes deeply nested structures before they reach the library functions, or wrap the library calls in a bounded‑recursion guard.

Generated by OpenCVE AI on April 16, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qpx9-hpmf-5gmw Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Underscorejs
Underscorejs underscore
CPEs cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:*
Vendors & Products Underscorejs
Underscorejs underscore
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Jashkenas
Jashkenas underscore
Vendors & Products Jashkenas
Jashkenas underscore

Wed, 04 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Tue, 03 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
Title Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jashkenas Underscore
Underscorejs Underscore
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T16:44:40.856Z

Reserved: 2026-02-20T19:43:14.602Z

Link: CVE-2026-27601

cve-icon Vulnrichment

Updated: 2026-03-04T16:44:34.757Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:55.560

Modified: 2026-04-28T15:06:03.603

Link: CVE-2026-27601

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-03T22:38:38Z

Links: CVE-2026-27601 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses