How to fix CVE-2025-50537?

Within 30 days: Identify affected systems running eslint and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Stack Overflow affected by CVE-2025-50537?

Organizations using eslint should be aware of moderate risk from CVE-2025-50537 rated CVSS 5.5. Exploitation could compromise the security of affected deployments. Proof-of-concept code is publicly available. Organizations should apply vendor updates when available and monitor for exploitation.

CVE-2025-50537

MEDIUM

2026-01-26 [email protected]

5.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Feb 04, 2026 - 15:11 vuln.today

Public exploit code

CVE Published

Jan 26, 2026 - 16:15 nvd

MEDIUM 5.5

Description

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.

Analysis

Technical Context

Classified as CWE-674 (Uncontrolled Recursion). Affects Eslint. Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ult

Affected Products

Vendor: Openjsf. Product: Eslint. Versions: up to 9.26.0.

Remediation

Monitor vendor advisories for a patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +28

POC: +20

Vendor Status

CVE-2025-50537 vulnerability details – vuln.today

Back

CVE-2025-50537

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-50537

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code