CVE-2026-27601
Received Received - Intake
Stack Overflow DoS in Underscore.js _.flatten and _.isEqual

Publication date: 2026-03-03

Last updated on: 2026-04-28

Assigner: GitHub, Inc.

Description
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27601
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
underscorejs underscore to 1.13.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Underscore.js library prior to version 1.13.8, specifically in the _.flatten and _.isEqual functions. These functions use recursion without a depth limit, which under very specific conditions can be exploited by an attacker to cause a stack overflow, leading to a Denial of Service (DoS) attack.

To exploit this, an attacker must supply untrusted input that creates a deeply recursive data structure, for example by using JSON.parse without enforcing a depth limit. This data structure is then passed to _.flatten or _.isEqual.

For _.flatten, exploitation requires that the data structure consists only of arrays at all levels and that no finite depth limit is provided as the second argument. For _.isEqual, exploitation requires a scenario where two distinct but equivalent data structures submitted by the same remote client are compared.

If a stack overflow occurs during these function calls, exceptions are not caught, which can crash the application or cause it to become unresponsive.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) attack against applications using vulnerable versions of Underscore.js. An attacker can cause the application to crash or become unresponsive by triggering a stack overflow through specially crafted recursive data structures.

Such an attack can disrupt service availability, potentially affecting users and business operations that rely on the affected application.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the Underscore.js library to version 1.13.8 or later, where the issue is fixed.

Additionally, avoid passing untrusted input that creates deeply recursive data structures to the _.flatten or _.isEqual functions without enforcing a finite depth limit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart