CVE-2025-50537

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc	Third Party Advisory
https://github.com/eslint/eslint/issues/19646	Exploit Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openjsf:eslint:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-01-26 16:15

Updated : 2026-02-04 15:11

NVD link : CVE-2025-50537

Mitre link : CVE-2025-50537

CVE.ORG link : CVE-2025-50537

JSON object : View

Products Affected

openjsf

eslint

CWE

CWE-674

Uncontrolled Recursion

{"id": "CVE-2025-50537", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-01-26T16:15:58.330", "references": [{"url": "https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/eslint/eslint/issues/19646", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-674"}]}], "descriptions": [{"lang": "en", "value": "Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de pila en eslint anterior a la 9.26.0 al serializar objetos con referencias circulares en eslint/lib/shared/serialization.js. El exploit se activa a trav\u00e9s del m\u00e9todo RuleTester.run(), que valida los casos de prueba y busca duplicados. Durante la validaci\u00f3n, se llama a la funci\u00f3n interna checkDuplicateTestCase(), que a su vez utiliza la funci\u00f3n isSerializable() para las comprobaciones de serializaci\u00f3n. Cuando se pasa un objeto con referencia circular, isSerializable() entra en recursi\u00f3n infinita, lo que finalmente causa un desbordamiento de pila."}], "lastModified": "2026-02-04T15:11:00.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openjsf:eslint:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F7AC358D-8192-4DFC-8039-5C0B0B14E714", "versionEndExcluding": "9.26.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}