Thrift
Monthly
Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.
TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.
Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.
Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthenticated attackers to achieve partial confidentiality, integrity, and availability impact. This is one of six related vulnerabilities disclosed simultaneously affecting multiple Apache Thrift language implementations (Swift, Node.js, C++, c_glib, Go). EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis. Vendor-released patch version 0.23.0 addresses this and related Thrift implementation flaws.
Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.
Out-of-bounds read in Apache Thrift C++ JSON deserialization allows remote attackers to leak sensitive information and trigger denial of service via malformed JSON payloads. Affects Apache Thrift versions prior to 0.23.0. The vulnerability has low exploitation probability (EPSS 0.02%) and is not currently listed in CISA KEV, suggesting limited real-world weaponization despite network-accessible attack vector.
Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.
Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.02.22.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.
TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.
Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.
Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthenticated attackers to achieve partial confidentiality, integrity, and availability impact. This is one of six related vulnerabilities disclosed simultaneously affecting multiple Apache Thrift language implementations (Swift, Node.js, C++, c_glib, Go). EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis. Vendor-released patch version 0.23.0 addresses this and related Thrift implementation flaws.
Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.
Out-of-bounds read in Apache Thrift C++ JSON deserialization allows remote attackers to leak sensitive information and trigger denial of service via malformed JSON payloads. Affects Apache Thrift versions prior to 0.23.0. The vulnerability has low exploitation probability (EPSS 0.02%) and is not currently listed in CISA KEV, suggesting limited real-world weaponization despite network-accessible attack vector.
Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.
Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.02.22.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.