{"id":"OESA-2026-1580","summary":"nodejs-underscore security update","details":"Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.\r\n\r\nSecurity Fix(es):\n\nUnderscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)","modified":"2026-03-15T06:18:59.139809Z","published":"2026-03-15T05:55:36Z","upstream":["CVE-2026-27601"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1580"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27601"}],"affected":[{"package":{"name":"nodejs-underscore","ecosystem":"openEuler:24.03-LTS","purl":"pkg:rpm/openEuler/nodejs-underscore&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.13.8-1.oe2403"}]}],"ecosystem_specific":{"src":["nodejs-underscore-1.13.8-1.oe2403.src.rpm"],"noarch":["js-underscore-1.13.8-1.oe2403.noarch.rpm","nodejs-underscore-1.13.8-1.oe2403.noarch.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2026-1580.json"}}],"schema_version":"1.7.5"}