Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3Description PRE-NVD
AnalysisAI
Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.
Technical ContextAI
Apache Thrift is a cross-language RPC framework supporting code generation for multiple languages including Rust, Java, and Node.js. CWE-789 (Uncontrolled Memory Allocation) typically indicates improper input validation that allows an attacker to cause excessive memory consumption through crafted requests. The vulnerability appears to replicate patterns from CVE-2020-13949 in the Rust implementation, suggesting a memory exhaustion or allocation flaw in deserialization or message parsing logic common across Thrift's polyglot architecture. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) confirms network-accessible, unauthenticated remote triggering with low attack complexity.
RemediationAI
Vendor-released patch: Apache Thrift 0.23.0 or later. Immediately upgrade all Thrift deployments to version 0.23.0 or the latest stable release. Organizations unable to upgrade immediately should implement request-rate limiting and memory quotas at the RPC layer, validate incoming message sizes before parsing, and monitor service memory consumption for anomalous patterns. If Thrift services are directly internet-facing, restrict network access via firewall rules to trusted clients and consider placing services behind load balancers with request filtering. Note that memory-exhaustion DoS mitigations have operational cost (false-positive rate limiting) and should be paired with application-level logging to detect actual exploitation attempts.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27243