CVE-2026-27601: CWE-770: Allocation of Resources Without Limits or Throttling in jashkenas underscore
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
AI Analysis
Technical Summary
CVE-2026-27601 affects underscore.js, a widely used JavaScript utility library, specifically versions before 1.13.8. The vulnerability arises from the _.flatten and _.isEqual functions employing recursion without enforcing a maximum depth limit. An attacker can exploit this by supplying untrusted input that forms deeply nested or recursive data structures, for example, via JSON.parse, which does not impose depth restrictions. In the case of _.flatten, exploitation requires that the input data structure consists solely of arrays at every level and that the function is called without a finite depth limit argument. For _.isEqual, exploitation requires a code path where two distinct but equivalent data structures originating from the same client are compared, such as when data submitted by a client is stored and later compared to new input from the same client, or when a single request is parsed twice resulting in two separate but equivalent objects. When these functions process such crafted data, the uncontrolled recursion can cause a stack overflow, leading to unhandled exceptions and application crashes, effectively resulting in a Denial of Service (DoS). The vulnerability does not require authentication or user interaction and can be triggered remotely over the network. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability was publicly disclosed on March 3, 2026, and fixed in underscore.js version 1.13.8. No known exploits are reported in the wild yet, but the high CVSS score (8.2) indicates a significant risk to availability for affected applications.
Potential Impact
The primary impact of CVE-2026-27601 is Denial of Service (DoS) due to stack overflow exceptions caused by uncontrolled recursion in underscore.js functions. Organizations using vulnerable versions of underscore.js in their web applications, especially those that accept and process deeply nested or recursive JSON data from untrusted sources, may experience application crashes or service outages. This can disrupt business operations, degrade user experience, and potentially lead to loss of revenue or reputation damage. Since underscore.js is a popular utility library embedded in many JavaScript applications worldwide, the scope of affected systems is broad. The vulnerability does not directly compromise confidentiality or integrity but severely impacts availability. Attackers can exploit this remotely without authentication or user interaction, increasing the risk of automated or large-scale DoS attacks. Applications that perform server-side data processing or comparison of client-submitted data structures are particularly vulnerable. The lack of exception handling for stack overflows exacerbates the impact, as it leads to ungraceful failures. Although no known exploits are currently reported, the vulnerability's characteristics make it a viable target for attackers aiming to disrupt services.
Mitigation Recommendations
To mitigate CVE-2026-27601, organizations should upgrade underscore.js to version 1.13.8 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, developers should implement strict input validation and sanitization to prevent deeply nested or recursive data structures from untrusted sources. Specifically, limit the depth of JSON parsing or reject inputs exceeding a safe nesting threshold. When using _.flatten, always provide a finite depth limit as the second argument to prevent unbounded recursion. For _.isEqual, avoid comparing two distinct data structures derived from untrusted input without prior validation or normalization. Implement robust exception handling around calls to _.flatten and _.isEqual to gracefully catch and manage potential stack overflow errors. Additionally, consider employing runtime monitoring and rate limiting on endpoints processing complex JSON data to detect and block suspicious activity indicative of DoS attempts. Conduct thorough code reviews to identify and refactor any code paths that may inadvertently compare or flatten untrusted recursive data structures. Finally, maintain up-to-date dependency management practices and monitor vulnerability advisories to promptly apply security patches.
Affected Countries
United States, India, Germany, United Kingdom, Canada, Australia, France, Japan, Brazil, Netherlands, South Korea, Italy, Spain
CVE-2026-27601: CWE-770: Allocation of Resources Without Limits or Throttling in jashkenas underscore
Description
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
AI-Powered Analysis
Technical Analysis
CVE-2026-27601 affects underscore.js, a widely used JavaScript utility library, specifically versions before 1.13.8. The vulnerability arises from the _.flatten and _.isEqual functions employing recursion without enforcing a maximum depth limit. An attacker can exploit this by supplying untrusted input that forms deeply nested or recursive data structures, for example, via JSON.parse, which does not impose depth restrictions. In the case of _.flatten, exploitation requires that the input data structure consists solely of arrays at every level and that the function is called without a finite depth limit argument. For _.isEqual, exploitation requires a code path where two distinct but equivalent data structures originating from the same client are compared, such as when data submitted by a client is stored and later compared to new input from the same client, or when a single request is parsed twice resulting in two separate but equivalent objects. When these functions process such crafted data, the uncontrolled recursion can cause a stack overflow, leading to unhandled exceptions and application crashes, effectively resulting in a Denial of Service (DoS). The vulnerability does not require authentication or user interaction and can be triggered remotely over the network. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability was publicly disclosed on March 3, 2026, and fixed in underscore.js version 1.13.8. No known exploits are reported in the wild yet, but the high CVSS score (8.2) indicates a significant risk to availability for affected applications.
Potential Impact
The primary impact of CVE-2026-27601 is Denial of Service (DoS) due to stack overflow exceptions caused by uncontrolled recursion in underscore.js functions. Organizations using vulnerable versions of underscore.js in their web applications, especially those that accept and process deeply nested or recursive JSON data from untrusted sources, may experience application crashes or service outages. This can disrupt business operations, degrade user experience, and potentially lead to loss of revenue or reputation damage. Since underscore.js is a popular utility library embedded in many JavaScript applications worldwide, the scope of affected systems is broad. The vulnerability does not directly compromise confidentiality or integrity but severely impacts availability. Attackers can exploit this remotely without authentication or user interaction, increasing the risk of automated or large-scale DoS attacks. Applications that perform server-side data processing or comparison of client-submitted data structures are particularly vulnerable. The lack of exception handling for stack overflows exacerbates the impact, as it leads to ungraceful failures. Although no known exploits are currently reported, the vulnerability's characteristics make it a viable target for attackers aiming to disrupt services.
Mitigation Recommendations
To mitigate CVE-2026-27601, organizations should upgrade underscore.js to version 1.13.8 or later, where the vulnerability is fixed. If immediate upgrade is not feasible, developers should implement strict input validation and sanitization to prevent deeply nested or recursive data structures from untrusted sources. Specifically, limit the depth of JSON parsing or reject inputs exceeding a safe nesting threshold. When using _.flatten, always provide a finite depth limit as the second argument to prevent unbounded recursion. For _.isEqual, avoid comparing two distinct data structures derived from untrusted input without prior validation or normalization. Implement robust exception handling around calls to _.flatten and _.isEqual to gracefully catch and manage potential stack overflow errors. Additionally, consider employing runtime monitoring and rate limiting on endpoints processing complex JSON data to detect and block suspicious activity indicative of DoS attempts. Conduct thorough code reviews to identify and refactor any code paths that may inadvertently compare or flatten untrusted recursive data structures. Finally, maintain up-to-date dependency management practices and monitor vulnerability advisories to promptly apply security patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-20T19:43:14.602Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a76534d1a09e29cb81f9ac
Added to database: 3/3/2026, 10:48:20 PM
Last enriched: 3/3/2026, 11:03:27 PM
Last updated: 3/4/2026, 7:52:38 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28775: CWE-1188: Insecure Default Initialization of Resource in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver
CriticalCVE-2026-28774: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface
CriticalCVE-2026-28773: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface
CriticalCVE-2026-28772: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Management Interface
MediumCVE-2026-28771: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Management Interface
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.