CVSS 7.5 · HIGH
CVE-2026-41636
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
View on NVDAnalysis
Apache Thrift Node.js bindings prior to version 0.23.0 are vulnerable to uncontrolled recursion. This flaw can be exploited to crash backend services, leading to a Denial of Service. Teams using Thrift for inter-service communication in Node.js environments should upgrade to the latest version to maintain service availability.
Severity
Score: 7.5(HIGH)
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: NONE
A: HIGH
Weakness (CWE):
CWE-674EPSS
Probability of exploitation (next 30 days): 0.0023 (0.2%)
Percentile: 45.4%
EPSS: 2026-05-06
Affects
apache:thriftTechnical description
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 4/28/2026, 10:16:03 AM
Last modified: 4/28/2026, 6:38:39 PM