Description
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Published: 2026-04-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

FastFeedParser performs URL parsing without limiting nested meta-refresh redirects, allowing an attacker to craft a server that returns an infinite chain of HTML pages each with a <meta http-equiv="refresh"> tag. The parser recurses indefinitely into those redirects, eventually exhausting the Python call stack and crashing the consuming process. This vulnerability is identified as a stack-based Denial of Service condition rooted in CWE‑674, Stack Based Buffer Overflow.

Affected Systems

The affected product is the FastFeedParser library from Kagisearch, commonly integrated in Python applications that process RSS, Atom, or RDF feeds. Versions prior to 0.5.10 are vulnerable; upgrading to 0.5.10 or later resolves the recursion problem.

Risk and Exploitability

The CVSS base score is 7.5, indicating a substantial risk. The EPSS score is below 1 %, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. An attacker must control a URL that FastFeedParser will fetch and host an endless meta‑refresh loop; reaching internal network resources can be achieved by chaining this issue with the existing SSRF flaw, making the attack more damaging if internal targets are reachable.

Generated by OpenCVE AI on April 14, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastFeedParser to version 0.5.10 or higher.
  • Prior to calling parse(), validate the URL against a whitelist of trusted domains to prevent remote content from being fetched.
  • If an upgrade is delayed, implement a wrapper around parse() that limits the recursion depth or removes meta‑refresh handling to stop the infinite loop.

Generated by OpenCVE AI on April 14, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4gx2-pc4f-wq37 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain
History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Kagi
Kagi fastfeedparser
CPEs cpe:2.3:a:kagi:fastfeedparser:*:*:*:*:*:python:*:*
Vendors & Products Kagi
Kagi fastfeedparser

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kagisearch
Kagisearch fastfeedparser
Vendors & Products Kagisearch
Kagisearch fastfeedparser

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Title FastFeedParser has an infinite redirect loop DoS via meta-refresh chain
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Kagi Fastfeedparser
Kagisearch Fastfeedparser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:22:49.417Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39376

cve-icon Vulnrichment

Updated: 2026-04-08T19:17:58.606Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:32.450

Modified: 2026-04-14T20:12:28.103

Link: CVE-2026-39376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses