Skip to main content

Thrift CVE-2019-3565

HIGH
Excessive Iteration (CWE-834)
2019-05-06 cve-assign@fb.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
May 06, 2019 - 16:29 nvd
HIGH 7.5

DescriptionNVD

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.05.06.00.

AnalysisAI

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-834. Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service.05.06.00. Affected products include: Facebook Thrift.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Thrift

View all
CVE-2021-24028 CRITICAL
9.8 Apr 14

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code e

CVE-2026-41604 HIGH
8.2 Apr 28

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigge

CVE-2026-41602 HIGH
7.5 Apr 28

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash

CVE-2019-0210 HIGH
7.5 Oct 29

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when f

CVE-2019-0205 HIGH
7.5 Oct 29

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with

CVE-2019-3564 HIGH
7.5 May 06

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high

CVE-2019-3559 HIGH
7.5 May 06

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated hi

CVE-2019-3558 HIGH
7.5 May 06

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated

CVE-2019-3552 HIGH
7.5 May 06

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown ty

CVE-2026-41603 HIGH
7.4 Apr 28

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle

CVE-2026-41605 HIGH
7.3 Apr 28

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthen

CVE-2026-43869 HIGH
7.3 May 05

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.2

Share

CVE-2019-3565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy