GHSA-mvmf-94v6-879g
fzf versions prior to 0.73.1 are vulnerable to a denial of service (DoS) attack in the --listen mode. The vulnerability arises from inefficient HTTP body processing using repeated string concatenation, causing quadratic time complexity (O(n²)). An attacker can send a crafted POST request with many small segments to trigger excessive CPU usage, monopolizing the single-threaded HTTP server and blocking other clients. This issue was fixed in version 0.73.1.
AI Analysis
Technical Summary
The fzf tool's --listen mode suffers from a denial of service vulnerability due to inefficient handling of HTTP request bodies. Specifically, repeated string concatenation leads to quadratic time complexity during processing. A maliciously crafted POST request with numerous small segments can cause excessive CPU consumption, effectively blocking the single-threaded HTTP server from servicing other clients. This vulnerability was addressed and fixed in version 0.73.1.
Potential Impact
A single malicious POST request can cause excessive CPU usage in the fzf --listen mode HTTP server, resulting in denial of service by blocking all other clients. This impacts availability but does not indicate compromise of confidentiality or integrity.
Mitigation Recommendations
Upgrade fzf to version 0.73.1 or later, where this vulnerability has been fixed. No other mitigation is indicated.
GHSA-mvmf-94v6-879g
Description
fzf versions prior to 0.73.1 are vulnerable to a denial of service (DoS) attack in the --listen mode. The vulnerability arises from inefficient HTTP body processing using repeated string concatenation, causing quadratic time complexity (O(n²)). An attacker can send a crafted POST request with many small segments to trigger excessive CPU usage, monopolizing the single-threaded HTTP server and blocking other clients. This issue was fixed in version 0.73.1.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The fzf tool's --listen mode suffers from a denial of service vulnerability due to inefficient handling of HTTP request bodies. Specifically, repeated string concatenation leads to quadratic time complexity during processing. A maliciously crafted POST request with numerous small segments can cause excessive CPU consumption, effectively blocking the single-threaded HTTP server from servicing other clients. This vulnerability was addressed and fixed in version 0.73.1.
Potential Impact
A single malicious POST request can cause excessive CPU usage in the fzf --listen mode HTTP server, resulting in denial of service by blocking all other clients. This impacts availability but does not indicate compromise of confidentiality or integrity.
Mitigation Recommendations
Upgrade fzf to version 0.73.1 or later, where this vulnerability has been fixed. No other mitigation is indicated.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-mvmf-94v6-879g
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-53433"]
- Ecosystems
- []
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a4452f427e9c7971990198d
Added to database: 06/30/2026, 23:36:20 UTC
Last enriched: 06/30/2026, 23:57:54 UTC
Last updated: 07/01/2026, 00:11:15 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.