Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector because --listen binds locally; PR:L reflects access needed to reach the socket; pure availability impact with no C or I consequence.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service.
This issue was fixed in version 0.73.1.
AnalysisAI
Denial of service in fzf's --listen mode HTTP server arises from quadratic-time (O(n²)) body processing caused by repeated string concatenation when reading POST request payloads. All fzf releases prior to 0.73.1 are affected when the --listen flag is explicitly activated to expose the embedded HTTP server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target system runs fzf with the --listen flag explicitly specified, which is a non-default configuration used primarily for editor plugin integrations (e.g., Neovim fzf-lua, Vim plugins). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H) scores 5.7, reflecting a moderate-severity local availability issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local access to a system where fzf is running in --listen mode sends a single crafted HTTP POST request whose body is fragmented into a very large number of small segments. The O(n²) string concatenation in the body parser causes the single-threaded HTTP server to consume excessive CPU time processing the request, effectively hanging it and denying service to any other process or user attempting to interact with the fzf instance. … |
| Remediation | Upgrade fzf to version 0.73.1 or later, which contains the upstream fix (commit 7963a2c6586c0b9eaa89b8995de8f0e08cf8a4ce) replacing the inefficient string concatenation with a buffered approach. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40303
GHSA-mvmf-94v6-879g