Description
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
Published: 2026-04-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability resides in facil.io’s `fio_json_parse` function. When it encounters a nested JSON value that begins with the letter 'i' or 'I', the parser falls into an infinite loop. This unbounded loop consumes CPU resources, pegging a core at 100 % and preventing the process from returning a parse error. The effect is an uncontrolled resource consumption that results in denial of service. The flaw maps to CWE‑400 and CWE‑835.

Affected Systems

Both the facil.io C micro‑framework and the iodine Ruby gem share the same parsing logic. Any installation of facil.io or iodine that predates commit 5128747363055201d3ecf0e29bf0a961703c9fa0 is vulnerable. The issue manifests for any JSON payload that includes a nested value starting with 'i' or 'I', the smallest reproducer being `[i`. This affects all deployments that accept attacker‑controlled JSON input through facil.io or iodine.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. Exploitation requires the attacker to send a crafted JSON request to an application that uses the vulnerable parser, a condition that is likely met in publicly accessible services. The lack of an EPSS score and absence from the KEV catalog do not diminish the risk; the bug is reproducible and surfaces as an immediate denial of service once the payload reaches the parser. Attackers could cause CPU exhaustion with zero privileged access, making the vulnerability highly actionable.

Generated by OpenCVE AI on April 22, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade facil.io to a version containing commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later.
  • Upgrade the iodine gem to a patched release that incorporates the same fix.
  • If an upgrade cannot be performed immediately, isolate or disable the JSON parsing functionality for untrusted input, or replace it with a safer parser that validates the structure before consuming resources.

Generated by OpenCVE AI on April 22, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Boazsegev
Boazsegev facil.io
Boazsegev iodine
Vendors & Products Boazsegev
Boazsegev facil.io
Boazsegev iodine

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
Title facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition
Weaknesses CWE-400
CWE-835
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Boazsegev Facil.io Iodine
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:09:38.075Z

Reserved: 2026-04-17T12:59:15.739Z

Link: CVE-2026-41146

cve-icon Vulnrichment

Updated: 2026-04-22T13:09:26.346Z

cve-icon NVD

Status : Received

Published: 2026-04-22T02:16:02.237

Modified: 2026-04-22T14:17:04.267

Link: CVE-2026-41146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:52Z

Weaknesses