CVE-2026-39376
Received Received - Intake
Unbounded Recursion in FastFeedParser Causes Denial of Service

Publication date: 2026-04-07

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL β€” with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39376
EUVD
EUVD-2026-19915
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kagi fastfeedparser to 0.5.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39376 is a high-severity vulnerability in the Python package fastfeedparser (versions up to 0.5.9). The issue occurs in the parse() function when it processes URLs that return HTML pages containing a <meta http-equiv="refresh"> tag. The function recursively calls itself with the redirect URL from the meta-refresh tag without any limits on recursion depth, no tracking of visited URLs, and no cap on the number of redirects.

This unbounded recursion can be exploited by an attacker-controlled server that returns an infinite chain of meta-refresh redirects, causing the parser to recurse indefinitely. This exhausts the Python call stack and crashes the process with a RecursionError, resulting in a denial-of-service (DoS).

Additionally, this vulnerability can be chained with a companion Server-Side Request Forgery (SSRF) issue, allowing attackers to bypass initial URL checks and reach internal network targets by redirecting to internal addresses.

Impact Analysis

This vulnerability can cause denial-of-service by exhausting server resources through unbounded recursion, crashing the process or indefinitely tying up server worker threads.

It can also be exploited in combination with SSRF to access internal network targets that are normally protected by application-level URL validation.

Any application using fastfeedparser to parse user-supplied feed URLs, such as RSS aggregators or feed preview services, is at risk. No authentication or user interaction is required for exploitation.

Detection Guidance

This vulnerability can be detected by observing if the fastfeedparser process crashes or hangs due to unbounded recursion when parsing URLs that return HTML pages with meta-refresh tags.

A proof-of-concept involves monkeypatching the internal URL fetch function to simulate infinite meta-refresh redirects, causing recursion errors after multiple calls.

To detect this on your system, monitor for Python processes using fastfeedparser that crash with RecursionError or hang for extended periods (up to several hours) when parsing feeds.

  • Use system monitoring commands like `ps aux | grep python` to identify stuck or crashed processes.
  • Check application logs for RecursionError exceptions or unusually long processing times on feed parsing.
  • If you have access to the source code, add logging around the `parse()` function to detect repeated recursive calls triggered by meta-refresh tags.
Mitigation Strategies

The immediate mitigation step is to upgrade fastfeedparser to version 0.5.10 or later, where this vulnerability is fixed.

Until the upgrade is applied, consider implementing input validation to block URLs that return HTML pages with meta-refresh tags or limit the recursion depth in the parsing logic if possible.

Additionally, monitor and restrict outgoing HTTP requests from the parser to prevent SSRF chaining attacks targeting internal network addresses.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart