Skip to main content

fzf CVE-2026-53433

| EUVDEUVD-2026-40303 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-06-30 CERT-PL GHSA-mvmf-94v6-879g
5.7
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local attack vector because --listen binds locally; PR:L reflects access needed to reach the socket; pure availability impact with no C or I consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 14:01 EUVD
Analysis Generated
Jun 30, 2026 - 12:51 vuln.today

DescriptionCVE.org

fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service.

This issue was fixed in version 0.73.1.

AnalysisAI

Denial of service in fzf's --listen mode HTTP server arises from quadratic-time (O(n²)) body processing caused by repeated string concatenation when reading POST request payloads. All fzf releases prior to 0.73.1 are affected when the --listen flag is explicitly activated to expose the embedded HTTP server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify system running fzf --listen
Delivery
Locate HTTP listener port
Exploit
Craft POST request with fragmented body
Execution
Send request to fzf HTTP server
Persist
Trigger O(n²) CPU exhaustion
Impact
Block all subsequent fzf clients

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target system runs fzf with the --listen flag explicitly specified, which is a non-default configuration used primarily for editor plugin integrations (e.g., Neovim fzf-lua, Vim plugins). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H) scores 5.7, reflecting a moderate-severity local availability issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local access to a system where fzf is running in --listen mode sends a single crafted HTTP POST request whose body is fragmented into a very large number of small segments. The O(n²) string concatenation in the body parser causes the single-threaded HTTP server to consume excessive CPU time processing the request, effectively hanging it and denying service to any other process or user attempting to interact with the fzf instance. …
Remediation Upgrade fzf to version 0.73.1 or later, which contains the upstream fix (commit 7963a2c6586c0b9eaa89b8995de8f0e08cf8a4ce) replacing the inefficient string concatenation with a buffered approach. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy