Aardappel Lobster 2025.4 Has Uncontrolled Recursion Flaw

Summary

A bug in Aardappel Lobster version 2025.4 can cause a software loop that uses up too much computer resources. This only happens when an attacker has direct access to the affected computer. To fix this, update to version 2026.1, which has a patch for this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
strlen	lobster	<= 2026.1	–

Original title

A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontr...

Original description

A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.

nvd CVSS2.0 1.7

nvd CVSS3.1 5.5

nvd CVSS4.0 4.8

Vulnerability type

CWE-404

CWE-674

https://github.com/aardappel/lobster/ Product
https://github.com/aardappel/lobster/commit/8ba49f98ccfc9734ef352146806433a41d9f... Patch
https://github.com/aardappel/lobster/issues/397 Exploit Issue Tracking Vendor Advisory
https://github.com/aardappel/lobster/issues/397#issuecomment-3849015088 Exploit Issue Tracking Vendor Advisory
https://github.com/aardappel/lobster/releases/tag/v2026.1 Release Notes
https://github.com/oneafter/0204/blob/main/lob3/repro.lobster Third Party Advisory
https://vuldb.com/?ctiid.347181 Permissions Required VDB Entry
https://vuldb.com/?id.347181 Third Party Advisory VDB Entry
https://vuldb.com/?submit.755026 Third Party Advisory VDB Entry