Description
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

FastFeedParser is a high‑performance RSS, Atom and RDF parser. In versions before 0.5.10 the parse() method follows HTTP redirects delivered by <meta http‑equiv="refresh"> tags without any depth limit or visited‑URL tracking. An attacker that controls a server can return an infinite chain of meta‑refresh responses. The parser then recurses unboundedly, exhausting the Python call stack and crashing the process. Because the parser accepts any URL, the same chain can be combined with the SSRF flaw in the companion issue to reach internal network destinations after bypassing the URL check.

Affected Systems

The vulnerability affects the kagisearch:fastfeedparser library for all releases before 0.5.10. No specific operating system or platform is mentioned; the issue is in the parser code itself. Users that incorporate fastfeedparser in their applications, particularly those that process untrusted URLs, are potentially exposed.

Risk and Exploitability

The issue carries a CVSS score of 7.5, indicating a high severity level. No EPSS value is provided, and it is not listed in CISA’s KEV catalog, so the public exploitation likelihood has not been quantified. However, the attacker only needs to supply a malicious URL; the library will attempt to fetch it, making the risk high for systems that call parse() on user‑supplied data. If the attacker also exploits the SSRF side channel, internal resources become reachable, raising the potential impact.

Generated by OpenCVE AI on April 7, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to fastfeedparser 0.5.10 or later, which limits redirect depth and removes meta‑refresh recursion.
  • If an upgrade cannot be performed immediately, restrict the URLs that applications pass to parse() to a whitelist of trusted domains, preventing malicious URLs from being processed.
  • If URL whitelisting is not possible, consider patching the library to impose a reasonable redirect limit or use a custom wrapper that terminates recursion after a safe depth.

Generated by OpenCVE AI on April 7, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4gx2-pc4f-wq37 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kagisearch
Kagisearch fastfeedparser
Vendors & Products Kagisearch
Kagisearch fastfeedparser

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Title FastFeedParser has an infinite redirect loop DoS via meta-refresh chain
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Kagisearch Fastfeedparser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:22:49.417Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39376

cve-icon Vulnrichment

Updated: 2026-04-08T19:17:58.606Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:32.450

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-39376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:08Z

Weaknesses