Description
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Uncontrolled recursion can trigger stack overflow and cause application crashes, leading to denial of service
Action: Immediate Patch
AI Analysis

Impact

Apache Thrift’s Node.js bindings contain an uncontrolled recursion flaw in the skip() method. Malicious input can force the method to recurse without an adequate termination condition, exhausting stack space and causing the process to crash. The impact is a denial‑of‑service because the affected Thrift service or client becomes unavailable. The weakness corresponds to CWE‑674 – Uncontrolled Recursion.

Affected Systems

Apache Software Foundation’s Apache Thrift implementation before version 0.23.0 is vulnerable. Any deployment that uses the Node.js bindings of those versions is affected.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation yet. The likely attack vector is remote, via crafted Thrift requests sent to the server or during client data deserialization. An attacker would need to supply input that triggers the bad skip call to force a stack overflow and crash the process.

Generated by OpenCVE AI on April 28, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which removes the recursion bug.
  • If an upgrade is not immediately possible, limit exposure by binding the Thrift service to trusted networks and ensuring the server rejects requests that exceed a defined size or depth.
  • Configure application or infrastructure to restart the Thrift process automatically upon crash and monitor logs for stack‑overflow events to detect exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: Node.js skip() recursion
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T12:15:44.118Z

Reserved: 2026-04-21T22:23:34.001Z

Link: CVE-2026-41636

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:15.152Z

cve-icon NVD

Status : Received

Published: 2026-04-28T10:16:03.687

Modified: 2026-04-28T10:16:03.687

Link: CVE-2026-41636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:30Z

Weaknesses