Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Underscore.js: Deep Recursion Vulnerability Allows Denial of Service
OESA-2026-1581
Summary
A security update affects Underscore.js, a popular JavaScript library. If an attacker sends malicious data to your website, they could potentially crash your server by causing a stack overflow. To fix this, update to version 1.13.8 of Underscore.js.
What to do
- Update nodejs-underscore to version 1.13.8-1.oe2403sp1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | nodejs-underscore | <= 1.13.8-1.oe2403sp1 | 1.13.8-1.oe2403sp1 |
Original title
nodejs-underscore security update
Original description
Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.
Security Fix(es):
Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)
Security Fix(es):
Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27601 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026