CVE-2026-53433

UNKNOWN 0.0

Denial of Service in fzf

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service. This issue was fixed in version 0.73.1.

CWE	CWE-407
Vendor	fzf
Product	fzf
Published	Jun 30, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for fzf fzf

Be the first to know when new unknown vulnerabilities affecting fzf fzf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

fzf / fzf

0 < 0.73.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/06/CVE-2026-53432 github.com: https://github.com/junegunn/fzf github.com: https://github.com/junegunn/fzf/commit/7963a2c6586c0b9eaa89b8995de8f0e08cf8a4ce

Credits

Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)