CVE-2025-50537

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-50537
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50537.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-50537
Aliases
Downstream
Published
2026-01-26T16:15:58.330Z
Modified
2026-01-29T15:11:17.153216Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.

References

Affected packages

Git / github.com/eslint/eslint

Affected ranges

Type
GIT
Repo
https://github.com/eslint/eslint
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8bbabc4691d97733a422180c71eba6c097b35475

Affected versions

v0.*

v0.0.2
v0.0.4
v0.0.5
v0.0.9
v0.1.3
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.21.1
v0.21.2
v0.22.0
v0.22.1
v0.23.0
v0.24.0

v1.*

v1.0.0
v1.0.0-rc-1
v1.0.0-rc-2
v1.0.0-rc-3
v1.1.0
v1.10.1
v1.10.2
v1.10.3
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.6.0
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.8.0
v1.9.0

v2.*

v2.0.0
v2.0.0-alpha-1
v2.0.0-alpha-2
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-rc.0
v2.0.0-rc.1
v2.1.0
v2.10.0
v2.10.1
v2.10.2
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.6.0
v2.7.0
v2.8.0
v2.9.0

v3.*

v3.0.0
v3.0.1
v3.1.0
v3.1.1
v3.10.0
v3.10.1
v3.10.2
v3.11.0
v3.11.1
v3.12.0
v3.12.1
v3.12.2
v3.13.0
v3.13.1
v3.14.0
v3.14.1
v3.15.0
v3.16.0
v3.16.1
v3.17.0
v3.17.1
v3.18.0
v3.19.0
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.4.0
v3.5.0
v3.6.0
v3.6.1
v3.7.0
v3.7.1
v3.8.0
v3.8.1
v3.9.0
v3.9.1

v4.*

v4.0.0
v4.0.0-alpha.0
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-beta.0
v4.0.0-rc.0
v4.1.0
v4.1.1
v4.10.0
v4.11.0
v4.12.0
v4.12.1
v4.13.0
v4.13.1
v4.14.0
v4.15.0
v4.16.0
v4.17.0
v4.18.0
v4.18.1
v4.18.2
v4.19.0
v4.19.1
v4.2.0
v4.3.0
v4.4.0
v4.4.1
v4.5.0
v4.6.0
v4.6.1
v4.7.0
v4.7.1
v4.7.2
v4.8.0

v5.*

v5.0.0
v5.0.0-alpha.0
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.0-alpha.4
v5.0.0-rc.0
v5.0.1
v5.1.0
v5.10.0
v5.11.0
v5.11.1
v5.12.0
v5.12.1
v5.13.0
v5.14.0
v5.14.1
v5.15.0
v5.15.1
v5.15.2
v5.15.3
v5.16.0
v5.2.0
v5.3.0
v5.4.0
v5.5.0
v5.6.0
v5.6.1
v5.7.0
v5.8.0
v5.9.0

v6.*

v6.0.0
v6.0.0-alpha.0
v6.0.0-alpha.1
v6.0.0-alpha.2
v6.0.0-rc.0
v6.0.1
v6.1.0
v6.2.0
v6.2.1
v6.2.2
v6.3.0
v6.4.0
v6.5.0
v6.5.1
v6.6.0
v6.7.0
v6.7.1
v6.7.2
v6.8.0

v7.*

v7.0.0
v7.0.0-alpha.0
v7.0.0-alpha.1
v7.0.0-alpha.2
v7.0.0-alpha.3
v7.0.0-rc.0
v7.1.0
v7.10.0
v7.11.0
v7.12.0
v7.12.1
v7.13.0
v7.14.0
v7.15.0
v7.16.0
v7.17.0
v7.18.0
v7.19.0
v7.2.0
v7.20.0
v7.21.0
v7.22.0
v7.23.0
v7.24.0
v7.25.0
v7.26.0
v7.27.0
v7.28.0
v7.29.0
v7.3.0
v7.3.1
v7.30.0
v7.31.0
v7.32.0
v7.4.0
v7.5.0
v7.6.0
v7.7.0
v7.8.0
v7.8.1
v7.9.0

v8.*

v8.0.0
v8.0.0-beta.0
v8.0.0-beta.1
v8.0.0-beta.2
v8.0.0-rc.0
v8.0.1
v8.1.0
v8.10.0
v8.11.0
v8.12.0
v8.13.0
v8.14.0
v8.15.0
v8.16.0
v8.17.0
v8.18.0
v8.19.0
v8.2.0
v8.20.0
v8.21.0
v8.22.0
v8.23.0
v8.23.1
v8.24.0
v8.25.0
v8.26.0
v8.27.0
v8.28.0
v8.29.0
v8.3.0
v8.30.0
v8.31.0
v8.32.0
v8.33.0
v8.34.0
v8.35.0
v8.36.0
v8.37.0
v8.38.0
v8.39.0
v8.4.0
v8.4.1
v8.40.0
v8.41.0
v8.42.0
v8.43.0
v8.44.0
v8.45.0
v8.46.0
v8.47.0
v8.48.0
v8.49.0
v8.5.0
v8.50.0
v8.51.0
v8.52.0
v8.53.0
v8.54.0
v8.55.0
v8.56.0
v8.6.0
v8.7.0
v8.8.0
v8.9.0

v9.*

v9.0.0
v9.0.0-alpha.0
v9.0.0-alpha.1
v9.0.0-alpha.2
v9.0.0-beta.0
v9.0.0-beta.1
v9.0.0-beta.2
v9.0.0-rc.0
v9.1.0
v9.1.1
v9.10.0
v9.11.0
v9.11.1
v9.12.0
v9.13.0
v9.14.0
v9.15.0
v9.16.0
v9.17.0
v9.18.0
v9.19.0
v9.2.0
v9.20.0
v9.20.1
v9.21.0
v9.22.0
v9.23.0
v9.24.0
v9.25.0
v9.25.1
v9.3.0
v9.4.0
v9.5.0
v9.6.0
v9.7.0
v9.8.0
v9.9.0
v9.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50537.json"