Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fio_json_parse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because iodine vendors the same parser code, the issue also affects iodine when it parses attacker-controlled JSON. The smallest reproducer I found is [i. The quoted-value form that originally exposed the issue, [""i, reaches the same bug because the parser tolerates missing commas and then treats the trailing i as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
AnalysisAI
Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the fio_json_parse function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.
Technical ContextAI
facil.io is a C-based micro-framework for high-performance web applications, and iodine is a Ruby web server that vendors the same C parser code. The vulnerability resides in the fio_json_parse function's state machine logic for handling JSON values. When the parser encounters a nested value beginning with 'i' or 'I' (such as the two-character payload '[i'), it enters an infinite loop in user space rather than properly identifying the invalid token and returning a parse error. The root cause is CWE-400 (Uncontrolled Resource Consumption), specifically an algorithmic complexity flaw where malformed input triggers worst-case parsing behavior. The affected CPE identifiers are cpe:2.3:a:boazsegev:facil.io:*:*:*:*:*:*:*:* and cpe:2.3:a:boazsegev:iodine:*:*:*:*:*:*:*:*, with all versions prior to the fix commit vulnerable. The parser's tolerance for missing commas in JSON arrays compounds the issue, as quoted-value forms like '[""i' also trigger the same code path after the parser consumes the empty string and treats the trailing 'i' as a new value.
RemediationAI
Upgrade to facil.io commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later, or upgrade iodine to version 0.7.59 or later, as documented in the vendor advisory at https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm. The fix commit at https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0 corrects the parser state machine to properly reject invalid tokens starting with 'i' or 'I'. If immediate patching is not feasible, implement request-level rate limiting and timeout enforcement (maximum 5-10 second request processing time) to contain resource exhaustion impact, though this only mitigates symptoms and does not prevent the CPU spin condition. Deploy web application firewalls or reverse proxies configured to validate JSON syntax before forwarding to the application, rejecting malformed payloads at the edge (note this adds latency and complexity but provides defense-in-depth). Monitor CPU utilization per worker process and implement automatic restart of workers exceeding sustained 90% CPU for more than 30 seconds to restore service availability during active attacks, though this creates service disruption and does not prevent repeated attacks.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24583
GHSA-2x79-gwq3-vxxm