{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41146", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.739Z", "datePublished": "2026-04-22T01:07:28.660Z", "dateUpdated": "2026-04-22T01:07:28.660Z"}, "containers": {"cna": {"title": "facil.io and downstream iodine ruby gem vulnerable to uncontrolled resource consumption and loop with unreachable exit condition", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-835", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm"}, {"name": "https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0", "tags": ["x_refsource_MISC"], "url": "https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0"}], "affected": [{"vendor": "boazsegev", "product": "facil.io", "versions": [{"version": "< 5128747363055201d3ecf0e29bf0a961703c9fa0", "status": "affected"}]}, {"vendor": "boazsegev", "product": "iodine", "versions": [{"version": "< 0.7.59", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T01:07:28.660Z"}, "descriptions": [{"lang": "en", "value": "facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[\"\"i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue."}], "source": {"advisory": "GHSA-2x79-gwq3-vxxm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[\"\"i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue."}], "id": "CVE-2026-41146", "lastModified": "2026-04-22T02:16:02.237", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T02:16:02.237", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0"}, {"source": "security-advisories@github.com", "url": "https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:23:13.702087+00:00", "value": {"mitigation_remediation": ["Upgrade facil.io to a version containing commit\u202f5128747363055201d3ecf0e29bf0a961703c9fa0 or later.", "Upgrade the iodine gem to a patched release that incorporates the same fix.", "If an upgrade cannot be performed immediately, isolate or disable the JSON parsing functionality for untrusted input, or replace it with a safer parser that validates the structure before consuming resources."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Both the facil.io C micro\u2011framework and the iodine Ruby gem share the same parsing logic. Any installation of facil.io or iodine that predates commit\u202f5128747363055201d3ecf0e29bf0a961703c9fa0 is vulnerable. The issue manifests for any JSON payload that includes a nested value starting with 'i' or 'I', the smallest reproducer being `[i`. This affects all deployments that accept attacker\u2011controlled JSON input through facil.io or iodine.", "description_and_impact": "The vulnerability resides in facil.io\u2019s `fio_json_parse` function. When it encounters a nested JSON value that begins with the letter 'i' or 'I', the parser falls into an infinite loop. This unbounded loop consumes CPU resources, pegging a core at 100\u202f% and preventing the process from returning a parse error. The effect is an uncontrolled resource consumption that results in denial of service. The flaw maps to CWE\u2011400 and CWE\u2011835.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity vulnerability. Exploitation requires the attacker to send a crafted JSON request to an application that uses the vulnerable parser, a condition that is likely met in publicly accessible services. The lack of an EPSS score and absence from the KEV catalog do not diminish the risk; the bug is reproducible and surfaces as an immediate denial of service once the payload reaches the parser. Attackers could cause CPU exhaustion with zero privileged access, making the vulnerability highly actionable."}}}}, "created": "2026-04-22T04:30:05.301303+00:00", "updated": "2026-04-22T04:30:05.301316+00:00", "vendors": []}