Uncontrolled Recursion Affecting underscore package, versions <1.13.8
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-UNDERSCORE-15369786
- published3 Mar 2026
- disclosed3 Mar 2026
- creditByambadalai Sumiya
Introduced: 3 Mar 2026
NewCVE-2026-27601 (opens in a new tab)How to fix?
Upgrade underscore to version 1.13.8 or higher.
Overview
underscore is a JavaScript's functional programming helper library.
Affected versions of this package are vulnerable to Uncontrolled Recursion through the _.flatten() or _.isEqual() functions that are used without a depth limit. An attacker can cause the application to crash or become unresponsive by supplying deeply nested data structures as input, leading to stack exhaustion.
Workaround
This vulnerability can be mitigated by enforcing a depth limit on data structures created from untrusted input (e.g., limiting nesting to 1000 levels or fewer), or by passing a finite depth limit as the second argument to the _.flatten() function.