Skip to main content

Fzf

2 CVEs product

Monthly

CVE-2026-53433 MEDIUM PATCH This Month

Denial of service in fzf's --listen mode HTTP server arises from quadratic-time (O(n²)) body processing caused by repeated string concatenation when reading POST request payloads. All fzf releases prior to 0.73.1 are affected when the --listen flag is explicitly activated to expose the embedded HTTP server. An attacker with access to the listening socket can send a single crafted POST request with many small body segments to monopolize the single-threaded server, blocking all other clients indefinitely. No public exploit identified at time of analysis; vendor-released patch is available in version 0.73.1.

Denial Of Service Fzf
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-53432 MEDIUM PATCH This Month

Integer overflow in fzf's FuzzyMatchV2 function causes a non-recoverable process crash (denial of service) when input lines reach approximately 2,200,000 bytes and a search pattern of ~999 bytes is active. The Go runtime detects the resulting invalid slice bounds and immediately terminates the process with a panic - there is no recovery path and no possibility of memory corruption or code execution. No public exploit code has been identified and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 5.6 (AT:P, UI:A) reflects that exploitation requires atypical input volumes and active user or script interaction.

Integer Overflow Denial Of Service Fzf
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Denial of service in fzf's --listen mode HTTP server arises from quadratic-time (O(n²)) body processing caused by repeated string concatenation when reading POST request payloads. All fzf releases prior to 0.73.1 are affected when the --listen flag is explicitly activated to expose the embedded HTTP server. An attacker with access to the listening socket can send a single crafted POST request with many small body segments to monopolize the single-threaded server, blocking all other clients indefinitely. No public exploit identified at time of analysis; vendor-released patch is available in version 0.73.1.

Denial Of Service Fzf
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Integer overflow in fzf's FuzzyMatchV2 function causes a non-recoverable process crash (denial of service) when input lines reach approximately 2,200,000 bytes and a search pattern of ~999 bytes is active. The Go runtime detects the resulting invalid slice bounds and immediately terminates the process with a panic - there is no recovery path and no possibility of memory corruption or code execution. No public exploit code has been identified and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 5.6 (AT:P, UI:A) reflects that exploitation requires atypical input volumes and active user or script interaction.

Integer Overflow Denial Of Service Fzf
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy