CVE-2026-27601 Overview
CVE-2026-27601 is a Denial of Service (DoS) vulnerability affecting Underscore.js, a popular utility-belt library for JavaScript. The vulnerability exists in the _.flatten and _.isEqual functions, which implement recursion without enforcing a depth limit. Under specific conditions, an attacker can exploit this flaw to trigger a stack overflow, causing application crashes and service disruption.
Critical Impact
Remote attackers can cause application-level Denial of Service by submitting deeply nested data structures that trigger uncontrolled stack consumption in vulnerable Underscore.js functions.
Affected Products
- Underscore.js versions prior to 1.13.8
- Node.js applications using vulnerable underscorejs:underscore package
- Web applications processing untrusted JSON input with Underscore.js utilities
Discovery Timeline
- 2026-03-03 - CVE-2026-27601 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-27601
Vulnerability Analysis
This vulnerability falls under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue stems from the recursive nature of the _.flatten and _.isEqual functions, which process nested data structures without implementing safeguards against excessive recursion depth.
When processing user-controlled input—particularly data parsed via JSON.parse without depth validation—an attacker can craft malicious payloads containing deeply nested arrays or objects. When these structures are passed to the vulnerable functions, the recursive calls exhaust the JavaScript call stack, resulting in a stack overflow exception.
The attack surface requires specific conditions to be exploitable:
For _.flatten: The attacker must be able to submit a data structure consisting of nested arrays at all levels, AND no finite depth limit is passed as the second argument to the function.
For _.isEqual: The vulnerability requires a code path where two distinct data structures from the same remote client are compared. This could occur when client-submitted data is stored in a database and later compared against new submissions, or when a single request's data is parsed twice, creating two non-identical but equivalent structures.
Root Cause
The root cause is the absence of recursion depth limits in the _.flatten and _.isEqual implementations. Both functions traverse nested data structures recursively, trusting that input will have reasonable depth. Without explicit depth checking or iterative alternatives, these functions are susceptible to stack exhaustion when processing adversarially crafted deep structures.
The vulnerability is particularly dangerous because exceptions from stack overflows are not caught by the library, propagating up and potentially crashing the entire application or service.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker exploits this vulnerability by:
- Crafting a deeply nested JSON payload (arrays for _.flatten, objects/arrays for _.isEqual)
- Submitting the malicious payload to an endpoint that processes data using vulnerable Underscore.js functions
- The recursive function calls exhaust the stack, triggering an uncaught exception
- The application crashes or becomes unresponsive
The vulnerability mechanism involves deeply nested recursive data structures that exhaust the JavaScript call stack. For _.flatten, this involves arrays nested to extreme depths. For _.isEqual, it requires two such structures to be compared. When the recursion depth exceeds the JavaScript engine's stack limit (typically several thousand frames), the process throws a RangeError: Maximum call stack size exceeded. See the GitHub Security Advisory GHSA-qpx9-hpmf-5gmw for detailed technical information.
Detection Methods for CVE-2026-27601
Indicators of Compromise
- Repeated application crashes with "Maximum call stack size exceeded" errors
- Unusual patterns of deeply nested JSON payloads in request logs
- Memory consumption spikes followed by process termination
- Service unavailability correlated with specific API endpoint requests
Detection Strategies
- Monitor application logs for RangeError exceptions indicating stack overflow conditions
- Implement request body size and nesting depth limits at the API gateway or web server level
- Perform dependency scanning to identify Underscore.js versions prior to 1.13.8
- Analyze incoming JSON payloads for abnormal nesting depth patterns
Monitoring Recommendations
- Configure alerting for repeated process restarts or crash loops in Node.js applications
- Enable detailed exception logging to capture stack overflow events
- Monitor CPU and memory metrics for patterns consistent with recursive exhaustion attacks
- Implement rate limiting on endpoints that process complex data structures
How to Mitigate CVE-2026-27601
Immediate Actions Required
- Upgrade Underscore.js to version 1.13.8 or later immediately
- Audit codebase for usages of _.flatten and _.isEqual with untrusted input
- Implement input validation to limit JSON nesting depth before processing
- Consider adding try-catch blocks around vulnerable function calls as a defense-in-depth measure
Patch Information
The vulnerability has been fixed in Underscore.js version 1.13.8. The fix is available in the following commits:
For complete details, refer to the GitHub Security Advisory GHSA-qpx9-hpmf-5gmw.
Workarounds
- Always pass a finite depth limit as the second argument when calling _.flatten
- Implement JSON parsing with depth limits using libraries like json-bigint or custom validators
- Add middleware to reject requests with excessively nested data structures
- Use iterative alternatives to _.flatten and _.isEqual when processing untrusted input
# Update Underscore.js to patched version
npm update underscore@1.13.8
# Verify installed version
npm list underscore
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
