Description
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Thrift’s Node.js bindings contain an uncontrolled recursion flaw. This weakness can be triggered by malicious input that causes the code to recurse without an adequate termination condition, exhausting stack space and terminating the process. The result is a denial‑of‑service where the affected Thrift service or client becomes unavailable. The vulnerability is identified by CWE‑674 and CWE‑776.

Affected Systems

Apache Software Foundation’s Apache Thrift implementation prior to version 0.23.0 that uses the Node.js bindings is vulnerable. Any deployment employing those versions runs the risk of exploitation.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1% and the absence from the CISA KEV catalog suggest that widespread exploitation has not been observed so far. The likely attack vector is remote: an attacker can send crafted Thrift requests to trigger the recursion, forcing a stack overflow and crashing the process.

Generated by OpenCVE AI on May 2, 2026 at 11:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which removes the recursion bug.
  • If an upgrade is not immediately possible, limit exposure by binding the Thrift service to trusted networks and enforcing request size or depth limits to prevent the recursion from being triggered.
  • Add validation for Thrift request sizes and depth in custom code or configure Thrift to reject overly large structures, ensuring that input lengths and recursion depth are bounded before processing.

Generated by OpenCVE AI on May 2, 2026 at 11:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r67j-r569-jrwp Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion
History

Thu, 30 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-776
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: Node.js skip() recursion
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T12:15:44.118Z

Reserved: 2026-04-21T22:23:34.001Z

Link: CVE-2026-41636

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:15.152Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.687

Modified: 2026-04-28T18:38:39.447

Link: CVE-2026-41636

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-28T09:22:14Z

Links: CVE-2026-41636 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:00:06Z

Weaknesses