CVE-2026-41146

UNKNOWN 0.0

facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.

CWE	CWE-400 CWE-835
Vendor	boazsegev
Product	facil.io
Published	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for boazsegev facil.io

Be the first to know when new unknown vulnerabilities affecting boazsegev facil.io are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

boazsegev / facil.io

< 5128747363055201d3ecf0e29bf0a961703c9fa0

boazsegev / iodine

< 0.7.59

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm github.com: https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0