CVE-2026-27601 — Allocation of Resources Without Limits or Throttling in Underscore
Severity
8.2HIGHNVD
EPSS
0.0%
top 94.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 3
Latest updateMar 10
Description
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Packages4 packages
Patches
🔴Vulnerability Details
4CVEList▶
Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack↗2026-03-03
GHSA
▶
OSV
▶
📋Vendor Advisories
3Microsoft▶
Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack↗2026-03-10
Red Hat▶
Underscore.js: Underscore.js: Denial of Service via recursive data structures in flatten and isEqual functions↗2026-03-03
Debian▶
CVE-2026-27601: underscore - Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.f...↗2026