Skip to main content

Thrift

17 CVEs product

Monthly

CVE-2026-43868 Cargo MEDIUM PATCH This Month

Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.

Information Disclosure Apache Java Node.js Thrift
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-43869 Maven HIGH PATCH GHSA This Week

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.

Information Disclosure Apache Java Node.js Thrift
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-41602 Go HIGH PATCH GHSA This Week

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.

Denial Of Service Integer Overflow Java Apache Thrift
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41605 HIGH PATCH This Week

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthenticated attackers to achieve partial confidentiality, integrity, and availability impact. This is one of six related vulnerabilities disclosed simultaneously affecting multiple Apache Thrift language implementations (Swift, Node.js, C++, c_glib, Go). EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis. Vendor-released patch version 0.23.0 addresses this and related Thrift implementation flaws.

Node.js Integer Overflow Denial Of Service Apache Thrift
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-41603 HIGH PATCH This Week

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Denial Of Service Java Apache Thrift
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-41607 MEDIUM PATCH This Month

Out-of-bounds read in Apache Thrift C++ JSON deserialization allows remote attackers to leak sensitive information and trigger denial of service via malformed JSON payloads. Affects Apache Thrift versions prior to 0.23.0. The vulnerability has low exploitation probability (EPSS 0.02%) and is not currently listed in CISA KEV, suggesting limited real-world weaponization despite network-accessible attack vector.

Buffer Overflow Information Disclosure Node.js Apache Thrift
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41606 MEDIUM PATCH This Month

Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.

Node.js Denial Of Service Apache Thrift
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41604 HIGH PATCH This Week

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).

Buffer Overflow Information Disclosure Java Apache Thrift
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2021-24028 CRITICAL PATCH Act Now

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.02.22.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Thrift
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2019-0210 Go HIGH PATCH This Week

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure Thrift Jboss Enterprise Application Platform +1
NVD
CVSS 3.1
7.5
EPSS
6.8%
CVE-2019-0205 Maven HIGH PATCH This Week

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Thrift Jboss Enterprise Application Platform Communications Cloud Native Core Network Slice Selection Function
NVD
CVSS 3.1
7.5
EPSS
9.1%
CVE-2019-3565 HIGH PATCH This Week

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Thrift
NVD GitHub
CVSS 3.1
7.5
EPSS
2.8%
CVE-2019-3564 Go HIGH PATCH This Week

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Thrift
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2019-3559 HIGH PATCH This Week

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Denial Of Service Thrift
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2019-3558 HIGH PATCH This Week

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Python Thrift
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2019-3552 HIGH PATCH This Week

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Thrift
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2015-3254 MEDIUM PATCH This Month

The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Thrift
NVD
CVSS 3.0
6.5
EPSS
1.8%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Apache Thrift versions prior to 0.23.0 are vulnerable to a denial-of-service condition with unspecified attack mechanisms related to CWE-789 (uncontrolled memory allocation). The vulnerability affects multiple language implementations including Rust, Java, and Node.js, and can be triggered remotely without authentication or user interaction, though the technical mechanism remains partially obscured in available disclosures. With EPSS score of 0.02% (percentile 5%), active exploitation appears unlikely despite the low CVSS complexity score.

Information Disclosure Apache Java +2
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.

Information Disclosure Apache Java +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.

Denial Of Service Integer Overflow Java +2
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthenticated attackers to achieve partial confidentiality, integrity, and availability impact. This is one of six related vulnerabilities disclosed simultaneously affecting multiple Apache Thrift language implementations (Swift, Node.js, C++, c_glib, Go). EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis. Vendor-released patch version 0.23.0 addresses this and related Thrift implementation flaws.

Node.js Integer Overflow Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Denial Of Service Java Apache +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Apache Thrift C++ JSON deserialization allows remote attackers to leak sensitive information and trigger denial of service via malformed JSON payloads. Affects Apache Thrift versions prior to 0.23.0. The vulnerability has low exploitation probability (EPSS 0.02%) and is not currently listed in CISA KEV, suggesting limited real-world weaponization despite network-accessible attack vector.

Buffer Overflow Information Disclosure Node.js +2
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.

Node.js Denial Of Service Apache +1
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).

Buffer Overflow Information Disclosure Java +2
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects.02.22.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Thrift
NVD GitHub
EPSS 7% CVSS 7.5
HIGH PATCH This Week

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure +3
NVD
EPSS 9% CVSS 7.5
HIGH PATCH This Week

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Thrift +2
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Thrift
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Thrift
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Denial Of Service Thrift
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Python Thrift
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Thrift
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Apache Thrift
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy