Impact
The vulnerability in fzf’s HTTP listener causes a denial of service. An attacker can send a specially crafted POST request packed with many small data segments. The server processes the body by repeatedly concatenating strings, leading to quadratic time complexity. Each large payload forces the single‑threaded HTTP handler to consume excessive CPU, eventually starving the server of resources and preventing legitimate clients from reaching their services.
Affected Systems
All installed versions of the fzf utility released before 0.73.1 are affected. Users running any earlier release and enabling the --listen HTTP server are at risk. The issue does not affect other fzf versions that have already been patched.
Risk and Exploitability
The CVSS base score of 5.7 indicates a moderate impact. Because the exploit requires only network access to the fzf HTTP listener and does not depend on privileged privileges or local code execution, any host exposed to the Internet or an internal network can be targeted. The attack can be launched with a single HTTP request, and without any external assistance. Although the EPSS score is not available and the vulnerability is not present in the CISA KEV list, the simplicity of the request and the single‑threaded nature of the service mean that denial of service can be achieved rapidly.
OpenCVE Enrichment