Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Underscore.js: Deep Recursion in flatten and isEqual Functions
OESA-2026-1580
Summary
A potentially serious security issue exists in older versions of the Underscore.js library. If a malicious user provides specially crafted data, it could cause the library to crash, making your website or application unavailable. To fix this issue, update to version 1.13.8 or later of the library.
What to do
- Update nodejs-underscore to version 1.13.8-1.oe2403.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nodejs-underscore | <= 1.13.8-1.oe2403 | 1.13.8-1.oe2403 |
Original title
nodejs-underscore security update
Original description
Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.
Security Fix(es):
Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)
Security Fix(es):
Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27601 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026