CVE-2026-27601

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Underscore.js versions prior to 1.13.8

Description Underscore.js, a JavaScript utility-belt library, contains an issue in the .flatten and .isEqual functions. These functions utilize recursion without a depth limit, potentially leading to a Denial of Service (DoS) attack through stack overflow. Exploitation requires an attacker to provide untrusted input that creates a recursive data structure, such as using JSON.parse without a depth limit. For .flatten, the vulnerability is exploitable if the data structure consists of arrays at all levels and no finite depth limit is provided as an argument. For .isEqual, exploitation requires comparing two distinct data structures submitted by the same client, for example, data stored in a database compared to newly submitted data, or parsing the same data twice. Exceptions resulting from the stack overflow are not handled.

Recommendations Update Underscore.js to version 1.13.8 or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-674

Related Identifiers

AZL-79313

AZL-79320

AZL-79323

AZL-79340

AZL-79343

AZL-79397

AZL-79401

AZL-79404

AZL-79427

AZL-79434

AZL-79463

CLEANSTART-2026-CE10526

CLEANSTART-2026-DV49099

CLEANSTART-2026-GS57401

CLEANSTART-2026-NB51079

CLEANSTART-2026-OW14933

CLEANSTART-2026-SW34937

CVE-2026-27601

ECHO-0638-253E-D3EC

GHSA-QPX9-HPMF-5GMW

OESA-2026-1578

OESA-2026-1579

OESA-2026-1580

OESA-2026-1581

OPENSUSE-SU-2026:10424-1

OPENSUSE-SU-2026:10427-1

OPENSUSE-SU-2026:10440-1

Affected Products

Underscore.Js

CVE-2026-27601

Weakness Enumeration

Related Identifiers

Affected Products

References · 176