Cyber Resilience

CVE-2026-27601

HighPublic PoCDDoS

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 44.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27601 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Underscorejs Underscore. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27601 affects Underscore.js, a utility-belt library for JavaScript, in versions prior to 1.13.8. The vulnerability stems from the _.flatten and _.isEqual functions implementing recursion without a depth limit, which can lead to a stack overflow under specific conditions. This enables a Denial of Service (DoS) attack when untrusted input is used to construct a deeply recursive data structure, such as via JSON.parse without enforced depth limits, and that structure is passed to either function. Exceptions from the stack overflow are not caught, exacerbating the issue. The flaw is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote attacker without privileges can exploit this vulnerability by submitting crafted input that creates a recursive data structure. For _.flatten, exploitation requires the data structure to consist of arrays at every level and no finite depth limit passed as the second argument. For _.isEqual, it requires a code path where two distinct but equivalent data structures from the same client are compared, such as data stored in a database and later compared to new client-submitted data, or data parsed twice within a single request. Successful exploitation triggers a stack overflow, causing unhandled exceptions that crash the application and deny service to legitimate users.

The GitHub security advisory (GHSA-qpx9-hpmf-5gmw) and related commits detail the fix in Underscore.js version 1.13.8, which addresses the unbounded recursion in both functions. Security practitioners should upgrade to 1.13.8 or later, validate and sanitize untrusted inputs to enforce depth limits on parsed data structures, and ensure exceptions from these functions are properly caught and handled.

EU & UK References

Vulnerability details

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by…

more

triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE enables remote DoS by submitting crafted recursive input to trigger unhandled stack overflow crashes in the affected JS library functions, directly matching application exploitation for endpoint availability denial.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2026-31866Shared CWE-770
CVE-2026-33260Shared CWE-770
CVE-2026-33012Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2024-57662Shared CWE-770

Affected Assets

underscorejs
underscore
≤ 1.13.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading Underscore.js to version 1.13.8 or later, which fixes the unbounded recursion in _.flatten and _.isEqual.

prevent

Enforces validation and sanitization of untrusted inputs, such as JSON.parse, to impose depth limits on data structures and prevent creation of deeply recursive arrays that trigger stack overflow.

prevent

Provides denial-of-service protection mechanisms to limit the impact of resource exhaustion attacks like stack overflows from unbounded recursion on crafted inputs.

References