Description
fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service.

This issue was fixed in version 0.73.1.
Published: 2026-06-30
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in fzf’s HTTP listener causes a denial of service. An attacker can send a specially crafted POST request packed with many small data segments. The server processes the body by repeatedly concatenating strings, leading to quadratic time complexity. Each large payload forces the single‑threaded HTTP handler to consume excessive CPU, eventually starving the server of resources and preventing legitimate clients from reaching their services.

Affected Systems

All installed versions of the fzf utility released before 0.73.1 are affected. Users running any earlier release and enabling the --listen HTTP server are at risk. The issue does not affect other fzf versions that have already been patched.

Risk and Exploitability

The CVSS base score of 5.7 indicates a moderate impact. Because the exploit requires only network access to the fzf HTTP listener and does not depend on privileged privileges or local code execution, any host exposed to the Internet or an internal network can be targeted. The attack can be launched with a single HTTP request, and without any external assistance. Although the EPSS score is not available and the vulnerability is not present in the CISA KEV list, the simplicity of the request and the single‑threaded nature of the service mean that denial of service can be achieved rapidly.

Generated by OpenCVE AI on June 30, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fzf to version 0.73.1 or later.
  • If the --listen mode is not required, disable it to eliminate the exposed HTTP endpoint.
  • Apply network‑level rate limiting or firewall rules to restrict or throttle access to the fzf HTTP listener.

Generated by OpenCVE AI on June 30, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1046
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service. This issue was fixed in version 0.73.1.
Title Denial of Service in fzf
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-30T13:32:52.251Z

Reserved: 2026-06-09T11:41:37.126Z

Link: CVE-2026-53433

cve-icon Vulnrichment

Updated: 2026-06-30T13:32:45.588Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T12:01:14Z

Links: CVE-2026-53433 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T13:30:13Z

Weaknesses
  • CWE-1046

    Creation of Immutable Text Using String Concatenation

  • CWE-407

    Inefficient Algorithmic Complexity