CVE-2026-39376
Unbounded Recursion in FastFeedParser Causes Denial of Service
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kagi | fastfeedparser | to 0.5.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-39376 is a high-severity vulnerability in the Python package fastfeedparser (versions up to 0.5.9). The issue occurs in the parse() function when it processes URLs that return HTML pages containing a <meta http-equiv="refresh"> tag. The function recursively calls itself with the redirect URL from the meta-refresh tag without any limits on recursion depth, no tracking of visited URLs, and no cap on the number of redirects.
This unbounded recursion can be exploited by an attacker-controlled server that returns an infinite chain of meta-refresh redirects, causing the parser to recurse indefinitely. This exhausts the Python call stack and crashes the process with a RecursionError, resulting in a denial-of-service (DoS).
Additionally, this vulnerability can be chained with a companion Server-Side Request Forgery (SSRF) issue, allowing attackers to bypass initial URL checks and reach internal network targets by redirecting to internal addresses.
How can this vulnerability impact me? :
This vulnerability can cause denial-of-service by exhausting server resources through unbounded recursion, crashing the process or indefinitely tying up server worker threads.
It can also be exploited in combination with SSRF to access internal network targets that are normally protected by application-level URL validation.
Any application using fastfeedparser to parse user-supplied feed URLs, such as RSS aggregators or feed preview services, is at risk. No authentication or user interaction is required for exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing if the fastfeedparser process crashes or hangs due to unbounded recursion when parsing URLs that return HTML pages with meta-refresh tags.
A proof-of-concept involves monkeypatching the internal URL fetch function to simulate infinite meta-refresh redirects, causing recursion errors after multiple calls.
To detect this on your system, monitor for Python processes using fastfeedparser that crash with RecursionError or hang for extended periods (up to several hours) when parsing feeds.
- Use system monitoring commands like `ps aux | grep python` to identify stuck or crashed processes.
- Check application logs for RecursionError exceptions or unusually long processing times on feed parsing.
- If you have access to the source code, add logging around the `parse()` function to detect repeated recursive calls triggered by meta-refresh tags.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade fastfeedparser to version 0.5.10 or later, where this vulnerability is fixed.
Until the upgrade is applied, consider implementing input validation to block URLs that return HTML pages with meta-refresh tags or limit the recursion depth in the parsing logic if possible.
Additionally, monitor and restrict outgoing HTTP requests from the parser to prevent SSRF chaining attacks targeting internal network addresses.