{"id":"GHSA-526f-jxpj-jmg2","summary":"Apache Thrift vulnerable to Path Traversal, HTTP Request/Response Splitting, Uncontrolled Resource Consumption","details":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version [0.23.0](https://github.com/apache/thrift/releases/tag/v0.23.0), which fixes the issue.","aliases":["BIT-thrift-2026-43870","CVE-2026-43870"],"modified":"2026-05-10T04:44:27.659602159Z","published":"2026-05-05T09:31:55Z","related":["CGA-7x3g-pvgv-84c9"],"database_specific":{"nvd_published_at":"2026-05-05T09:16:04Z","github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2026-05-08T19:24:08Z","cwe_ids":["CWE-22"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43870"},{"type":"WEB","url":"https://github.com/apache/thrift/commit/80184ddca4d4f60ac657bd82b2abc47269814f79"},{"type":"PACKAGE","url":"https://github.com/apache/thrift"},{"type":"WEB","url":"https://github.com/apache/thrift/releases/tag/v0.23.0"},{"type":"WEB","url":"https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/05/4"}],"affected":[{"package":{"name":"thrift","ecosystem":"npm","purl":"pkg:npm/thrift"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"0.22.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-526f-jxpj-jmg2/GHSA-526f-jxpj-jmg2.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}