CVE-2026-39376
Published: 07 April 2026
Summary
CVE-2026-39376 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Kagi Fastfeedparser. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires updating FastFeedParser to version 0.5.10, which implements recursion depth limits, visited-URL deduplication, and redirect caps to directly prevent stack exhaustion.
Denial-of-service protection mechanisms limit resource consumption during recursive URL fetches, mitigating the unbounded recursion leading to process crashes.
Information input validation on URLs and HTML content detects and blocks malicious meta-refresh tags that trigger recursive parsing chains.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unbounded recursion in URL parsing directly enables remote exploitation of the application to cause stack exhaustion and process crash, mapping to application or system exploitation for endpoint denial of service.
NVD Description
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth…
more
limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
Deeper analysisAI
CVE-2026-39376 is an unbounded recursion vulnerability (CWE-674) in FastFeedParser, a high-performance RSS, Atom, and RDF parser written in Python. In versions prior to 0.5.10, the parse() function fetches a provided URL and, if the response is an HTML page containing a <meta http-equiv="refresh"> tag, recursively invokes itself with the redirect URL. This recursion lacks depth limits, visited-URL deduplication, or redirect count caps, enabling stack exhaustion. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this remotely over the network with low complexity and no privileges by controlling a server that responds with an infinite chain of HTML meta-refresh redirects. Any application using vulnerable FastFeedParser to parse untrusted feeds or URLs can be targeted, resulting in Python call stack exhaustion and process crash (denial of service). The flaw can also chain with a companion SSRF issue to bypass initial URL checks and reach internal network targets.
The vulnerability is addressed in FastFeedParser version 0.5.10. Additional details on the fix and affected versions are available in the GitHub security advisory at https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37.
Details
- CWE(s)