OESA-2026-1580

Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.

Security Fix(es):

Underscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via JSON.parse with no enforced depth limit), and this structure must be passed to _.flatten or _.isEqual. For _.flatten, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to _.flatten. For _.isEqual, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using _.isEqual. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)