CVE-2026-27601
Published: 03 March 2026
Summary
CVE-2026-27601 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Underscorejs Underscore. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27601 affects Underscore.js, a utility-belt library for JavaScript, in versions prior to 1.13.8. The vulnerability stems from the _.flatten and _.isEqual functions implementing recursion without a depth limit, which can lead to a stack overflow under specific conditions. This enables a Denial of Service (DoS) attack when untrusted input is used to construct a deeply recursive data structure, such as via JSON.parse without enforced depth limits, and that structure is passed to either function. Exceptions from the stack overflow are not caught, exacerbating the issue. The flaw is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote attacker without privileges can exploit this vulnerability by submitting crafted input that creates a recursive data structure. For _.flatten, exploitation requires the data structure to consist of arrays at every level and no finite depth limit passed as the second argument. For _.isEqual, it requires a code path where two distinct but equivalent data structures from the same client are compared, such as data stored in a database and later compared to new client-submitted data, or data parsed twice within a single request. Successful exploitation triggers a stack overflow, causing unhandled exceptions that crash the application and deny service to legitimate users.
The GitHub security advisory (GHSA-qpx9-hpmf-5gmw) and related commits detail the fix in Underscore.js version 1.13.8, which addresses the unbounded recursion in both functions. Security practitioners should upgrade to 1.13.8 or later, validate and sanitize untrusted inputs to enforce depth limits on parsed data structures, and ensure exceptions from these functions are properly caught and handled.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9341
Vulnerability details
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by…
more
triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE enables remote DoS by submitting crafted recursive input to trigger unhandled stack overflow crashes in the affected JS library functions, directly matching application exploitation for endpoint availability denial.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading Underscore.js to version 1.13.8 or later, which fixes the unbounded recursion in _.flatten and _.isEqual.
Enforces validation and sanitization of untrusted inputs, such as JSON.parse, to impose depth limits on data structures and prevent creation of deeply recursive arrays that trigger stack overflow.
Provides denial-of-service protection mechanisms to limit the impact of resource exhaustion attacks like stack overflows from unbounded recursion on crafted inputs.