Bug 2444247 (CVE-2026-27601)

Summary: CVE-2026-27601 Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, alcohan, alizardo, anthomas, asoldano, bbaranow, bbrownin, bdettelb, bmaxwell, brian.stansberry, darran.lofthouse, dfreiber, doconnor, dosoudil, drow, dschmidt, ehelms, erezende, fjuma, ggainey, gmalinko, gotiwari, gparvin, istudens, ivassile, iweiss, janstey, jbalunas, jburrell, jcantril, jchui, jgrulich, jhe, jhorak, jkoehler, jlanda, juwatts, kshier, ktsao, lchilton, lphiri, mhulan, mosmerov, msvehla, mvyas, nboldt, nmoumoul, nwallace, osousa, pahickey, pberan, pcreech, pdelbell, pesilva, pjindal, pmackay, psrna, rchan, rhaigner, rojacob, rstancel, rstepani, sdawley, sfeifer, simaishi, smaestri, smallamp, smcdonal, stcannon, teagle, tmalecek, tom.jenkinson, tpopela, vkumar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Underscore.js, a JavaScript utility library. This vulnerability allows a remote attacker to trigger a Denial of Service (DoS) attack by providing specially crafted recursive data structures. When these structures are processed by the _.flatten or _.isEqual functions, which lack a depth limit for recursion, a stack overflow occurs. This can make the application unavailable to legitimate users.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-03-03 23:02:45 UTC 
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.