Apache Thrift Node.js stack overflow (CVE-2026-41636)
CVE-2026-41636
CVE-2026-41636: Apache Thrift Node.js bindings prior to 0.23.0 have a high-severity uncontrolled recursion bug enabling remote denial of service. Update to 0.23.0.
Vendor-confirmed - CVE-2026-41636 is a high-severity uncontrolled recursion vulnerability in Apache Thrift Node.js bindings before 0.23.0 that lets unauthenticated, remote attackers crash the service by sending a specially crafted message. Patched in version 0.23.0; update immediately.
Overview
CVE-2026-41636 affects the Node.js language bindings of Apache Thrift, a cross-language serialization and RPC framework. The flaw originates from improper input validation when the server processes recursive data structures. An attacker can craft a deeply nested or self-referential Thrift message that causes the Node.js runtime to exhaust its call stack, leading to a denial of service (DoS).
The vulnerability is remotely exploitable over the network without authentication or user interaction (CVSS v3.1: 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The attack complexity is low, and no special privileges are required. While there is no public proof-of-concept code confirmed, the low complexity increases the likelihood of future exploitation.
Impact
Successful exploitation crashes the Node.js process handling Thrift messages, disrupting any service relying on the affected bindings. This can be repeated to sustain a denial of service. Data confidentiality and integrity are not directly compromised.
Remedy
Upgrade Apache Thrift Node.js bindings to version 0.23.0 or later. The fix adds recursion-depth limits to prevent stack exhaustion. If an immediate upgrade is not possible, consider deploying a Web Application Firewall (WAF) or reverse proxy that inspects Thrift message payloads for excessive nesting depth to mitigate the risk.
Security Insight
This vulnerability follows a pattern of deserialization-related issues in cross-language RPC frameworks. The Node.js bindings lacked recursion-depth checking that adjacent language bindings (such as Java and C++) already enforced for years. The incident underscores that porting a library across runtimes requires re-auditing safety boundaries, not just translating code. Organizations using Apache Thrift should review their language-specific bindings as part of their dependency management process, particularly for recursion and resource-exhaustion limits. For context on related Thrift and RPC framework security, see the recent Apache ActiveMQ CVE-2026-34197 advisory.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, wh...
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version...
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue....
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A cr...
Other Apache Thrift Vulnerabilities
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, wh...
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version...
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue....