CVE-2025-50537 Overview
A stack overflow vulnerability exists in ESLint before version 9.26.0 that occurs when serializing objects with circular references in the eslint/lib/shared/serialization.js module. The vulnerability is triggered through the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() calls isSerializable() for serialization checks. When an object containing a circular reference is passed, isSerializable() enters infinite recursion, ultimately causing a stack overflow and application crash.
Critical Impact
Attackers can trigger a denial of service condition by passing objects with circular references to ESLint's RuleTester, causing development environments and CI/CD pipelines to crash.
Affected Products
- ESLint versions prior to 9.26.0
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-50537 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2025-50537
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion). The flaw resides in ESLint's serialization logic, specifically within the isSerializable() function located in eslint/lib/shared/serialization.js. When processing objects for duplicate test case detection, the function fails to track visited objects, allowing circular reference structures to trigger unbounded recursive calls.
The RuleTester.run() method is the primary attack surface, as it processes user-supplied test case configurations. When validating these test cases, the checkDuplicateTestCase() function invokes the vulnerable serialization routine without proper safeguards against self-referential data structures.
The attack requires local access and user interaction, as an attacker would need to convince a developer to run malicious test configurations or compromise a project's test suite. The impact is limited to availability—there is no data confidentiality or integrity breach—but successful exploitation can disrupt development workflows and automated testing pipelines.
Root Cause
The root cause is insufficient input validation in the isSerializable() function, which does not implement a visited-object tracking mechanism. When an object contains a circular reference (where a property directly or indirectly references itself), the serialization check continues to recurse through the same objects indefinitely until the JavaScript call stack is exhausted.
Attack Vector
The attack requires local access and involves crafting a test case object with circular references that is then passed to ESLint's RuleTester.run() method. The attack flow proceeds as follows:
- An attacker creates a malicious ESLint rule test file containing test case objects with circular references
- When the test suite runs, RuleTester.run() processes these test cases
- The checkDuplicateTestCase() validation calls isSerializable() on the malicious object
- The function recursively traverses the circular structure without termination
- The JavaScript runtime exhausts its call stack, resulting in a stack overflow error and process termination
The vulnerability can impact CI/CD pipelines that automatically run ESLint tests, potentially causing build failures and disrupting development workflows. For technical details and proof-of-concept code, refer to the GitHub Issue Discussion and the GitHub Gist PoC Repository.
Detection Methods for CVE-2025-50537
Indicators of Compromise
- Stack overflow errors or "Maximum call stack size exceeded" exceptions in ESLint processes
- Unexpected crashes or terminations during ESLint test suite execution
- Abnormal memory or CPU spikes during RuleTester.run() operations
Detection Strategies
- Monitor for recurring process crashes in development environments or CI/CD pipelines running ESLint tests
- Implement logging to capture and analyze ESLint test execution errors
- Review test case configurations for suspicious circular reference patterns
Monitoring Recommendations
- Set up alerting for abnormal ESLint process terminations in CI/CD environments
- Track ESLint version deployments across development infrastructure to identify vulnerable installations
- Monitor Node.js process health metrics during automated test execution
How to Mitigate CVE-2025-50537
Immediate Actions Required
- Upgrade ESLint to version 9.26.0 or later where this vulnerability has been addressed
- Review and audit test case configurations for circular reference objects
- Implement process monitoring and restart capabilities for ESLint test runners
Patch Information
The vulnerability is resolved in ESLint version 9.26.0. Organizations should update their package.json dependencies and lock files to ensure the patched version is installed across all development environments and CI/CD pipelines. For additional information, refer to the GitHub Issue Discussion.
Workarounds
- Ensure test case objects passed to RuleTester.run() do not contain circular references
- Implement pre-validation checks in test suites to detect circular references before ESLint processing
- Consider wrapping ESLint test execution in process isolation to limit the impact of potential crashes
- Use trusted, reviewed test configurations and avoid running untrusted ESLint rule tests
# Upgrade ESLint to patched version
npm update eslint@^9.26.0
# Verify installed version
npx eslint --version
# Alternative: specify exact version in package.json
npm install eslint@9.26.0 --save-dev
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
