EUVD-2026-19915
GHSA-4gx2-pc4f-wq37
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL - with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Analysis
Unbounded recursion in FastFeedParser (Python RSS/Atom parser) allows remote attackers to crash applications via malicious HTML meta-refresh redirect chains. Affecting all versions prior to 0.5.10, attackers can trigger denial-of-service by serving infinite meta-refresh redirects when parse() fetches attacker-controlled URLs, exhausting the Python call stack with no recursion depth limit. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: identify all applications and systems using FastFeedParser (check requirements.txt, pip freeze, and dependency manifests) and document version numbers in use. Within 7 days: implement URL validation and parsing timeout controls; restrict parse() operations to trusted feed sources only; and monitor upstream FastFeedParser GitHub repository for patch release (target version 0.5.10 or later when available). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today