Spin CVE-2026-27887
Lifecycle Timeline
2DescriptionCVE.org
Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest application could incrementally insert a large number of rows or values into a database and then retrieve them all in a single query, leading to large host allocations. Spin 3.6.1, SpinKube 0.6.2, and containerd-shim-spin 0.22.1 have been patched to address the issue. As a workaround, configure Spin to only allow access to trusted databases and HTTP servers which limit response sizes.
AnalysisAI
Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g.
Technical ContextAI
Classified as CWE-770 (Allocation of Resources Without Limits or Throttling). Spin is an open source developer tool for building and running serverless applications powered by WebAssembly. When Spin is configured to allow connections to a database or web server which could return responses of unbounded size (e.g. tables with many rows or large content bodies), Spin may in some cases attempt to buffer the entire response before delivering it to the guest, which can lead to the host process running out of memory, panicking, and crashing. In addition, a malicious guest appli
Affected ProductsAI
Spin is an open source developer tool for building and running serverless applications powered by WebAssembly
RemediationAI
Monitor vendor advisories for a patch.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today