Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Denial of Service in Underscore.js Before 1.13.8
OESA-2026-1578
Summary
A bug in older versions of the Underscore.js library can cause a website to run out of memory and become unresponsive if it processes a specially crafted input. This is a security risk because it could be exploited by an attacker to make a website unavailable. To fix this issue, update to version 1.13.8 or later of Underscore.js.
What to do
- Update nodejs-underscore to version 1.13.8-1.oe2403sp2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nodejs-underscore | <= 1.13.8-1.oe2403sp2 | 1.13.8-1.oe2403sp2 |
Original title
nodejs-underscore security update
Original description
Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.
Security Fix(es):
Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)
Security Fix(es):
Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27601 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026