Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.
Published: 2026-05-12
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Uncontrolled recursion in the Electron ASAR parser allows a crafted archive file to exhaust the thread stack, crashing NanaZip. The flaw is caused by the parser lacking depth limits when handling nested JSON within the archive header, leading to stack exhaustion during parsing of maliciously crafted .asar files. This results in a local denial of service, as the application terminates unexpectedly.

Affected Systems

The vulnerability affects NanaZip versions from 5.0.1252.0 up to but not including 6.0.1698.0. All installations of this open‑source archival tool from M2Team that have not applied the patch to 6.0.1698.0 or later are susceptible.

Risk and Exploitability

The CVSS score of 3.3 denotes a moderate impact. Exploitation requires the attacker to supply a specially crafted .asar file and convince a user to open it, so the attack vector is inferred to be local. The EPSS score is unavailable, and the vulnerability is not listed in CISA's KEV catalog. Nonetheless, any privileged user who can force NanaZip to open a malicious archive can cause a denial of service on that system.

Generated by OpenCVE AI on May 12, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1698.0 or later, where the ASAR parser limits recursion depth.
  • Avoid opening unknown or untrusted .asar files with the current NanaZip installation.
  • Implement a policy to scan or quarantine archive files before they are extracted or opened by NanaZip.

Generated by OpenCVE AI on May 12, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.
Title NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T19:20:35.273Z

Reserved: 2026-04-26T13:26:14.516Z

Link: CVE-2026-42355

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:41.260

Modified: 2026-05-12T20:16:41.260

Link: CVE-2026-42355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses