CVE-2025-50537
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-02-04

Assigner: MITRE

Description
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-02-04
Generated
2026-05-07
AI Q&A
2026-01-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-50537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openjsf eslint to 9.26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a stack overflow in ESLint versions before 9.26.0 caused by improper handling of objects with circular references during serialization. Specifically, the function isSerializable() in eslint/lib/shared/serialization.js does not detect circular references and recursively processes them infinitely, leading to a stack overflow error. This occurs when RuleTester.run() validates test cases containing circular references, causing ESLint to crash or become unresponsive. [1, 2]


How can this vulnerability impact me? :

The vulnerability can cause ESLint to crash or become unresponsive when processing code or configurations containing circular references, resulting in denial of service. It may disrupt development workflows by making ESLint unstable or unusable. Additionally, depending on the runtime environment, it might enable code execution, posing a security risk. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to run ESLint's RuleTester.run() method with test cases containing circular references. A stack overflow or 'maximum call stack size exceeded' error indicates the presence of the vulnerability. Specifically, you can create a test case object that references itself (circular reference) and pass it to RuleTester.run() to see if ESLint crashes or becomes unresponsive. There are no specific network commands, but running ESLint in a controlled environment with such crafted test cases can reveal the issue. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ESLint to version 9.26.0 or later, where the vulnerability has been fixed. Until then, avoid running ESLint RuleTester.run() with test cases containing circular references. Additionally, review and sanitize test case objects to ensure they do not contain circular references before passing them to ESLint. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart