CVE-2026-53433
Awaiting Analysis Awaiting Analysis - Queue

fzf Denial of Service via HTTP Body Processing

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CERT.PL

Description
fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(nΒ²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service. This issue was fixed in version 0.73.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-53433
EUVD
EUVD-2026-40303

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
junegunn fzf 0.73.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in fzf is a Denial of Service (DoS) issue caused by inefficient HTTP body processing in the --listen mode. Specifically, the server uses repeated string concatenation to process incoming HTTP POST request bodies, which results in quadratic time complexity (O(nΒ²)).

An attacker can exploit this by sending a crafted POST request with many small segments, causing excessive CPU usage. Because the HTTP server is single-threaded, this monopolizes the server's processing time, blocking all other clients and causing a denial of service.

Impact Analysis

This vulnerability can impact you by allowing a malicious user to send a specially crafted POST request that consumes excessive CPU resources on the fzf server running in --listen mode.

Because the server is single-threaded, this excessive CPU usage blocks all other clients from being served, effectively causing a denial of service. This means legitimate users may experience service unavailability or severe delays.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage on the system running fzf in --listen mode, especially when handling HTTP POST requests. A crafted POST request with many small segments can cause excessive CPU consumption, leading to denial of service.

To detect potential exploitation attempts, you can capture and analyze HTTP traffic targeting the fzf server's listening port to identify suspicious POST requests with many small segments.

Example commands to help detect this vulnerability include:

  • Use system monitoring tools like top or htop to observe CPU usage: `top` or `htop`
  • Capture network traffic on the listening port (replace <port> with the actual port): `tcpdump -i any port <port> -w capture.pcap`
  • Analyze captured traffic for suspicious POST requests using tools like Wireshark or tshark: `tshark -r capture.pcap -Y 'http.request.method == "POST"'`
  • Check logs of the fzf server (if available) for repeated or large POST requests.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade fzf to version 0.73.1 or later, where the vulnerability has been fixed by replacing inefficient string concatenation with a more efficient method for HTTP body processing.

Until the upgrade can be applied, consider limiting or blocking HTTP POST requests to the fzf --listen server, especially those with many small segments, using firewall rules or network filtering to reduce the risk of denial of service.

Additionally, monitor CPU usage and network traffic to detect and respond to potential exploitation attempts promptly.

Compliance Impact

The provided context and resources do not contain any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart