{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27601", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.602Z", "datePublished": "2026-03-03T22:38:38.955Z", "dateUpdated": "2026-03-04T16:44:40.856Z"}, "containers": {"cna": {"title": "Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"}, {"name": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4", "tags": ["x_refsource_MISC"], "url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"}, {"name": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84", "tags": ["x_refsource_MISC"], "url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"}], "affected": [{"vendor": "jashkenas", "product": "underscore", "versions": [{"version": "< 1.13.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:38:38.955Z"}, "descriptions": [{"lang": "en", "value": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8."}], "source": {"advisory": "GHSA-qpx9-hpmf-5gmw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:44:25.481747Z", "id": "CVE-2026-27601", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:44:40.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T16:44:25.481747Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:44:34.757Z"}}], "cna": {"title": "Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", "source": {"advisory": "GHSA-qpx9-hpmf-5gmw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jashkenas", "product": "underscore", "versions": [{"status": "affected", "version": "< 1.13.8"}]}], "references": [{"url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw", "name": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4", "name": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84", "name": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:38:38.955Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27601", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:44:40.856Z", "dateReserved": "2026-02-20T19:43:14.602Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-03T22:38:38.955Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "413BC96A-931D-45FE-A85A-EC967B6D43D7", "versionEndExcluding": "1.13.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8."}, {"lang": "es", "value": "Underscore.js es una librer\u00eda de utilidades para JavaScript. Antes de la versi\u00f3n 1.13.8, las funciones _.flatten y _.isEqual usan recursi\u00f3n sin un l\u00edmite de profundidad. Bajo condiciones muy espec\u00edficas, detalladas a continuaci\u00f3n, un atacante podr\u00eda explotar esto en un ataque de denegaci\u00f3n de servicio (DoS) al desencadenar un desbordamiento de pila. Se debe usar entrada no confiable para crear una estructura de datos recursiva, por ejemplo, usando JSON.parse, sin un l\u00edmite de profundidad impuesto. La estructura de datos as\u00ed creada debe pasarse a _.flatten o _.isEqual. En el caso de _.flatten, la vulnerabilidad solo puede ser explotada si es posible para un cliente remoto preparar una estructura de datos que consista en arrays en todos los niveles Y si no se pasa un l\u00edmite de profundidad finito como segundo argumento a _.flatten. En el caso de _.isEqual, la vulnerabilidad solo puede ser explotada si existe una ruta de c\u00f3digo en la que dos estructuras de datos distintas que fueron enviadas por el mismo cliente remoto se comparan usando _.isEqual. Por ejemplo, si un cliente env\u00eda datos que se almacenan en una base de datos, y el mismo cliente puede luego enviar otra estructura de datos que luego se compara con los datos que se guardaron en la base de datos previamente, O si un cliente env\u00eda una \u00fanica solicitud, pero sus datos se analizan dos veces, creando dos estructuras de datos no id\u00e9nticas pero equivalentes que luego se comparan. Las excepciones que se originan de la llamada a _.flatten o _.isEqual, como resultado de un desbordamiento de pila, no est\u00e1n siendo capturadas. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.13.8."}], "id": "CVE-2026-27601", "lastModified": "2026-04-28T15:06:03.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-03T23:15:55.560", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions", "id": "2444247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444247"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-606", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, applications utilizing Underscore.js should ensure that any processing of untrusted, recursively structured data with `_.flatten` or `_.isEqual` explicitly enforces a finite depth limit. Review application code to identify and modify calls to these functions, adding appropriate depth parameters to prevent stack overflow conditions. Additionally, input validation should be implemented to sanitize untrusted data before it is processed by Underscore.js functions."}, "name": "CVE-2026-27601", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "mtv-candidate/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-api-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-db-migration-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:openshift_pipelines:1", "fix_state": "Fix deferred", "package_name": "openshift-pipelines/pipelines-hub-ui-rhel8", "product_name": "OpenShift Pipelines"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/console-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-25/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/lightspeed-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-on-clouds/aoc-azure-aap-installer-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "gjs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python-sphinx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "io.hawt-hawtio-online", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "io.hawt-project", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "io.hawt-project", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "io.hawt-project", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "io.hawt-project", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kf-notebook-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-notebook-controller-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/openvsx-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/pluginregistry-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Fix deferred", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite/iop-host-inventory-frontend-rhel9", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-03T22:38:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27601\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27601\nhttps://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4\nhttps://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84\nhttps://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.13.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "underscore", "source": "cna", "vendor": "jashkenas"}, "product": "underscore", "vendor": "jashkenas"}], "analysis": {"en": {"generated_at": "2026-04-16T13:50:34.861081+00:00", "value": {"mitigation_remediation": ["Upgrade the Underscore.js library to version\u202f1.13.8 or later, which includes the recursion limit fix.", "If an upgrade is not immediately feasible, avoid feeding untrusted input to _.flatten or _.isEqual; instead enforce a maximum depth or use a safer alternative function.", "Implement input validation that rejects or sanitizes deeply nested structures before they reach the library functions, or wrap the library calls in a bounded\u2011recursion guard."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service via stack overflow in Underscore.js functions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all v1.13.8\u2011earlier releases of the Underscore.js library distributed by jashkenas. Any Node.js or web application that includes a pre\u20111.13.8 version of Underscore.js and calls _.flatten or _.isEqual on data supplied by an unauthenticated or untrusted source is at risk. The CVE details list the CPE for underscorejs:underscore and emphasize that the issue is present in all earlier versions.", "description_and_impact": "Underscore.js, a widely used utility library for JavaScript, contained a flaw in its _.flatten and _.isEqual functions before version\u202f1.13.8. Both functions recurse without a depth limit, so a deliberately nested data structure can trigger a stack overflow when these functions process the data. The overflow causes the process to terminate or hang, resulting in a denial\u2011of\u2011service condition. The weakness corresponds to unchecked loop condition and uncontrolled recursion (CWE\u2011606, CWE\u2011770).", "risk_and_exploitability": "With a CVSS base score of\u202f8.2, the flaw is considered high\u2011severity. The EPSS score of less than\u202f1% indicates that, currently, there is a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, the attack scenario requires an attacker to be able to supply deeply nested JSON or equivalent data structures that are fed directly into the vulnerable functions. The effective attack vector is thus remote client input; any exposed API, form, or data ingestion endpoint that calls _.flatten or _.isEqual without input validation can potentially be abused to perform a denial\u2011of\u2011service via stack overflow."}}}}, "created": "2026-03-04T14:53:32.110408+00:00", "updated": "2026-04-16T14:00:19.463285+00:00", "vendors": ["jashkenas", "jashkenas$PRODUCT$underscore"]}