Skip to main content

Iodine

3 CVEs product

Monthly

CVE-2026-41146 Ruby HIGH PATCH GHSA This Week

Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the `fio_json_parse` function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.

Denial Of Service Facil Io Iodine
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-22050 Ruby HIGH PATCH This Week

Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Iodine
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2014-4168 MEDIUM This Month

(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Iodine
NVD GitHub
CVSS 2.0
5.0
EPSS
1.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote unauthenticated denial of service affects facil.io (all versions prior to commit 5128747) and iodine (all versions before 0.7.59) through malformed JSON input triggering infinite CPU loop. Attackers can send crafted JSON payloads as small as two bytes ('[i') to the `fio_json_parse` function, causing the process to consume 100% of a CPU core indefinitely without crashing or returning an error. This vulnerability allows trivial resource exhaustion against any web service using these frameworks to parse untrusted JSON. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the attack requires only network access with no authentication and minimal complexity (CVSS AV:N/AC:L/PR:N), making exploitation straightforward once discovered.

Denial Of Service Facil Io Iodine
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in the static file service in Iodine less than 0.7.33 allows an unauthenticated, remote attacker to read files outside the public folder via malicious URLs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Iodine
NVD GitHub VulDB
EPSS 1% CVSS 5.0
MEDIUM This Month

(1) iodined.c and (2) user.c in iodine before 0.7.0 allows remote attackers to bypass authentication by continuing execution after an error has been triggering. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Iodine
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy