Fzf
Monthly
Denial of service in fzf's --listen mode HTTP server arises from quadratic-time (O(n²)) body processing caused by repeated string concatenation when reading POST request payloads. All fzf releases prior to 0.73.1 are affected when the --listen flag is explicitly activated to expose the embedded HTTP server. An attacker with access to the listening socket can send a single crafted POST request with many small body segments to monopolize the single-threaded server, blocking all other clients indefinitely. No public exploit identified at time of analysis; vendor-released patch is available in version 0.73.1.
Integer overflow in fzf's FuzzyMatchV2 function causes a non-recoverable process crash (denial of service) when input lines reach approximately 2,200,000 bytes and a search pattern of ~999 bytes is active. The Go runtime detects the resulting invalid slice bounds and immediately terminates the process with a panic - there is no recovery path and no possibility of memory corruption or code execution. No public exploit code has been identified and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 5.6 (AT:P, UI:A) reflects that exploitation requires atypical input volumes and active user or script interaction.
Denial of service in fzf's --listen mode HTTP server arises from quadratic-time (O(n²)) body processing caused by repeated string concatenation when reading POST request payloads. All fzf releases prior to 0.73.1 are affected when the --listen flag is explicitly activated to expose the embedded HTTP server. An attacker with access to the listening socket can send a single crafted POST request with many small body segments to monopolize the single-threaded server, blocking all other clients indefinitely. No public exploit identified at time of analysis; vendor-released patch is available in version 0.73.1.
Integer overflow in fzf's FuzzyMatchV2 function causes a non-recoverable process crash (denial of service) when input lines reach approximately 2,200,000 bytes and a search pattern of ~999 bytes is active. The Go runtime detects the resulting invalid slice bounds and immediately terminates the process with a panic - there is no recovery path and no possibility of memory corruption or code execution. No public exploit code has been identified and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 5.6 (AT:P, UI:A) reflects that exploitation requires atypical input volumes and active user or script interaction.