BIT-thrift-2026-41636
Uncontrolled Recursion vulnerability in thrift (npm)
What is BIT-thrift-2026-41636 About?
This vulnerability in Apache Thrift Node.js bindings allows for uncontrolled recursion, which can lead to a denial of service. Attackers can trigger this condition by sending specially crafted input that causes the application to enter an infinite or excessively deep recursive loop. The impact can include server instability or crashes, and exploitation can be relatively straightforward if the recursive entry point is exposed.
Affected Software
Technical Details
The uncontrolled recursion vulnerability affects Apache Thrift Node.js bindings prior to version 0.23.0. While specific code internals are not detailed, in general, uncontrolled recursion vulnerabilities occur when a function or method calls itself, directly or indirectly, without a proper termination condition or depth limit. An attacker can craft input data that, when processed by the vulnerable component, forces the recursive function to call itself repeatedly, consuming excessive stack memory and CPU cycles. This leads to a stack overflow, application crash, or a state where the application becomes unresponsive, effectively causing a denial of service.
What is the Impact of BIT-thrift-2026-41636?
Successful exploitation may allow attackers to cause a denial of service, leading to application instability, unresponsiveness, or crashes.
What is the Exploitability of BIT-thrift-2026-41636?
Exploitation typically involves sending specially crafted network requests or data that triggers the uncontrolled recursion. The complexity level can range from medium to low, depending on how easily a recursive entry point can be reached with malicious input. Authentication requirements would depend on whether the vulnerable functionality is exposed before or after authentication; it's often a remote attack vector. No specific privilege requirements are usually needed for uncontrolled recursion unless the vulnerable code path is behind an authenticated boundary. There are no explicit special conditions, but the risk increases if the application processes untrusted, complex data structures via Apache Thrift Node.js bindings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-thrift-2026-41636?
Available Upgrade Options
- thrift
- <0.23.0 → Upgrade to 0.23.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-r67j-r569-jrwp
- https://nvd.nist.gov/vuln/detail/CVE-2026-41636
- http://www.openwall.com/lists/oss-security/2026/04/28/1
- https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql
- https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql
- https://github.com/apache/thrift
- http://www.openwall.com/lists/oss-security/2026/04/28/1
What are Similar Vulnerabilities to BIT-thrift-2026-41636?
Similar Vulnerabilities: CVE-2023-34057 , CVE-2022-23539 , CVE-2021-4122 , CVE-2020-13936 , CVE-2019-0201
