Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Endpoint is reachable over the network with no auth or user interaction; a single crafted request crashes the process, giving high availability impact only, with no confidentiality or integrity effect and no scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multi_search endpoint. A specially crafted request can trigger an unhandled exception during request processing, causing the server process to terminate. This issue can be exploited over the network without authentication and results in service unavailability. The duration of impact may vary depending on system configuration and dataset size. This issue has been patched in versions 29.1 and 30.2.
AnalysisAI
Unauthenticated denial-of-service in Typesense search engine versions prior to 29.1 and 30.2 allows remote attackers to terminate the server process by sending a crafted request to the /multi_search endpoint. The flaw triggers an unhandled exception during request processing, causing complete service unavailability for the duration of restart and dataset reload. No public exploit identified at time of analysis, and the low EPSS score (0.10%) suggests limited current exploitation interest despite the high CVSS 4.0 score of 8.7.
Technical ContextAI
Typesense is an open-source, typo-tolerant search engine written in C++ commonly deployed as a backend for application search features, often as an alternative to Elasticsearch or Algolia. The vulnerable /multi_search endpoint accepts batched search queries and, per the advisory, fails to handle a specific malformed input pattern, resulting in an unhandled C++ exception that crashes the process. The CWE-754 (Improper Check for Unusual or Exceptional Conditions) root cause indicates the parsing or query-handling logic does not validate or catch an edge case before it propagates up the stack. The affected CPE cpe:2.3:a:typesense:typesense covers all versions of the product prior to the fixed releases.
RemediationAI
Vendor-released patch: upgrade to Typesense 29.1 if on the 29.x branch, or 30.2 if on the 30.x branch, as documented in advisory https://github.com/typesense/typesense/security/advisories/GHSA-fpx5-8c99-247j. Until upgrade is possible, restrict network reachability of the /multi_search endpoint to trusted application backends only via firewall, reverse-proxy ACLs, or a service mesh - note that this breaks any direct browser-to-Typesense search patterns and requires routing client search through your own backend. Rate-limiting and request-size limits on /multi_search at an upstream proxy reduce crash frequency but do not prevent a single malformed request from terminating the process, so pair with a process supervisor (systemd Restart=always, Kubernetes liveness probe) to minimize downtime per crash.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36512