11---
22gem : iodine
3+ cve : 2026-41146
34ghsa : 2x79-gwq3-vxxm
4- url : https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm
5+ url : https://nvd.nist.gov/vuln/detail/CVE-2026-41146
56title : Uncontrolled resource consumption and loop with unreachable
67 exit condition in facil.io and downstream iodine ruby gem
78date : 2026-04-14
@@ -11,8 +12,10 @@ description: |
1112 `fio_json_parse` can enter an infinite loop when it encounters a
1213 nested JSON value starting with `i` or `I`. The process spins in
1314 user space and pegs one CPU core at ~100 instead of returning a
14- parse error. Because `iodine` vendors the same parser code, the
15- issue also affects `iodine` when it parses attacker-controlled JSON.
15+ parse error.
16+
17+ Because `iodine` gem vendors the same parser code, the issue also
18+ affects `iodine` gem when it parses attacker-controlled JSON.
1619
1720 The smallest reproducer found is `[i`. The quoted-value form that
1821 originally exposed the issue, `[""i`, reaches the same bug because
@@ -254,8 +257,15 @@ description: |
254257 - Verified on tag / gem version `v0.7.58`
255258 - The gem vendors a copy of the vulnerable parser in
256259 `ext/iodine/fio_json_parser.h`
260+ cvss_v4 : 8.7
257261related :
258262 url :
263+ - https://nvd.nist.gov/vuln/detail/CVE-2026-41146
259264 - https://github.com/boazsegev/iodine/releases/tag/v0.7.58
265+ - https://github.com/boazsegev/iodine/commit/0855989d74098d838b972520835cfc256bc479bc
266+ - https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0
260267 - https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm
261268 - https://github.com/advisories/GHSA-2x79-gwq3-vxxm
269+ notes : |
270+ - FYI: iodine commit above contains the unreleased patch.
271+ - Found GHSA's `patched_versions:` field is "0.7.59" but never released.
0 commit comments