NCalc CVE-2026-55254
MEDIUMSeverity by source
AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Network vector and no-privilege access apply when NCalc evaluates untrusted input via an API; only availability is impacted - no confidentiality or integrity effect.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
A denial-of-service (DoS) vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in the factorial calculation logic.
Applications that evaluate untrusted expressions using affected versions of NCalc may be vulnerable to resource exhaustion, potentially resulting in service disruption or application unresponsiveness.
This issue can be triggered with expressions such as:
99999999999999!
9223372036854775807!
1.5e16!Patches
The vulnerability has been fixed by adding bounds validation for factorial operands and rejecting unsupported values before evaluation.
Users should upgrade to the first release containing the fix from pull request #575. (v6.1.1+)
Workarounds
If upgrading is not immediately possible:
- Do not evaluate expressions originating from untrusted users.
- Validate or sanitize expressions before evaluation and reject factorial operations on large values.
- Implement execution time limits, request timeouts, or cancellation mechanisms around expression evaluation.
These mitigations may reduce exposure but do not fully address the underlying vulnerability.
AnalysisAI
Denial-of-service via unbounded factorial evaluation affects NCalc (NCalc.Core and NCalcSync NuGet packages) prior to v6.1.1, allowing remote attackers to exhaust CPU resources or trigger non-terminating computation loops by submitting expressions with extremely large factorial operands such as 9223372036854775807! (Int64.MaxValue). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must pass attacker-controlled or untrusted string input directly to NCalc's expression evaluator (e.g., Expression.Evaluate()) without pre-validating or sanitizing factorial operands. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.8 (AV:A/AC:H/PR:N/UI:R) reflects a conservative scope: adjacent-network attack vector and user-interaction required imply constrained exploitation conditions, keeping the score in the medium range despite A:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits the expression '9223372036854775807!' through any application endpoint that passes user-controlled strings to NCalc for evaluation - for example, a reporting engine, spreadsheet formula API, or configuration DSL. NCalc's MathHelper.Factorial() dispatches the Int64.MaxValue operand to the unbounded calculation loop, which overflows and enters a non-terminating state, consuming 100% of a CPU core. … |
| Remediation | Upgrade NCalc.Core and NCalcSync to v6.1.1 or later, which contains the bounds-validation fix from PR #575 (https://github.com/ncalc/ncalc/pull/575). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-3w5p-95mh-gq75