Skip to main content

facil.io CVE-2026-41146

| EUVDEUVD-2026-24583 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-22 GitHub_M GHSA-2x79-gwq3-vxxm
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 29, 2026 - 20:46 nvd
Patch available
Re-analysis Queued
Apr 22, 2026 - 14:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 04:24 vuln.today
Patch available
Apr 22, 2026 - 03:01 EUVD
CVSS changed
Apr 22, 2026 - 02:22 NVD
8.7 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 02:00 euvd
EUVD-2026-24583
Analysis Generated
Apr 22, 2026 - 02:00 vuln.today
CVE Published
Apr 22, 2026 - 01:07 nvd
HIGH 8.7

DescriptionGitHub Advisory

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fio_json_parse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because iodine vendors the same parser code, the issue also affects iodine when it parses attacker-controlled JSON. The smallest reproducer I found is [i. The quoted-value form that originally exposed the issue, [""i, reaches the same bug because the parser tolerates missing commas and then treats the trailing i as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.

AnalysisAI

Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the fio_json_parse function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.

Technical ContextAI

facil.io is a C-based micro-framework for high-performance web applications, and iodine is a Ruby web server that vendors the same C parser code. The vulnerability resides in the fio_json_parse function's state machine logic for handling JSON values. When the parser encounters a nested value beginning with 'i' or 'I' (such as the two-character payload '[i'), it enters an infinite loop in user space rather than properly identifying the invalid token and returning a parse error. The root cause is CWE-400 (Uncontrolled Resource Consumption), specifically an algorithmic complexity flaw where malformed input triggers worst-case parsing behavior. The affected CPE identifiers are cpe:2.3:a:boazsegev:facil.io:*:*:*:*:*:*:*:* and cpe:2.3:a:boazsegev:iodine:*:*:*:*:*:*:*:*, with all versions prior to the fix commit vulnerable. The parser's tolerance for missing commas in JSON arrays compounds the issue, as quoted-value forms like '[""i' also trigger the same code path after the parser consumes the empty string and treats the trailing 'i' as a new value.

RemediationAI

Upgrade to facil.io commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later, or upgrade iodine to version 0.7.59 or later, as documented in the vendor advisory at https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm. The fix commit at https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0 corrects the parser state machine to properly reject invalid tokens starting with 'i' or 'I'. If immediate patching is not feasible, implement request-level rate limiting and timeout enforcement (maximum 5-10 second request processing time) to contain resource exhaustion impact, though this only mitigates symptoms and does not prevent the CPU spin condition. Deploy web application firewalls or reverse proxies configured to validate JSON syntax before forwarding to the application, rejecting malformed payloads at the edge (note this adds latency and complexity but provides defense-in-depth). Monitor CPU utilization per worker process and implement automatic restart of workers exceeding sustained 90% CPU for more than 30 seconds to restore service availability during active attacks, though this creates service disruption and does not prevent repeated attacks.

Share

CVE-2026-41146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy