CVE-2026-42355

Source
https://cve.org/CVERecord?id=CVE-2026-42355
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42355.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42355
Aliases
  • GHSA-4gxf-p4q6-gfrf
Published
2026-05-12T19:20:35.273Z
Modified
2026-07-15T01:49:02.959566650Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
Summary
NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion
Details

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42355.json",
    "cwe_ids": [
        "CWE-674"
    ]
}
References

Affected packages

Git / github.com/m2team/nanazip

Affected ranges

Type
GIT
Repo
https://github.com/m2team/nanazip
Events
Database specific
{
    "cpe": "cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "5.0.1250.0"
        },
        {
            "fixed": "6.0.1698.0"
        }
    ]
}

Affected versions

5.*
5.0.1250.0
5.0.1252.0
5.0.1263.0
5.1.1252.0
5.1.1263.0
6.*
6.0.1461.0
6.0.1621.0
6.0.1630.0
6.0.1632.0
6.0.1638.0
6.0.1650.0
6.0.1691.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42355.json"