Skip to main content

Underscore CVE-2026-27601

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-03 security-advisories@github.com GHSA-qpx9-hpmf-5gmw
Denial Of Service Underscore
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 15:07 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 15:07 NVD
7.5 (HIGH) 8.2 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 05, 2026 - 21:08 vuln.today
Public exploit code
Patch released
Mar 05, 2026 - 21:08 nvd
Patch available
CVE Published
Mar 03, 2026 - 23:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53,545 npm packages depend on underscore (17,776 direct, 36,366 indirect)

Ecosystem-wide dependent count for version 1.13.8.

DescriptionGitHub Advisory

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.

AnalysisAI

Unbounded recursion in Underscore.js versions before 1.13.8 enables denial of service attacks when the _.flatten or _.isEqual functions process deeply nested untrusted data structures. An attacker can trigger stack overflow conditions by supplying specially crafted recursive input, causing affected applications to crash. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft deeply nested JSON structure
Delivery
Pass to _.flatten or _.isEqual
Exploit
Trigger unlimited recursion
Execution
Stack overflow
Impact
Denial of Service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Application must parse untrusted JSON input without depth validation, then pass resulting object to _.flatten or _.isEqual functions in Underscore.js versions prior to 1.13.8. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications and dependencies using Underscore.js and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-27601 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy