{"schema_version":"1.7.2","id":"OESA-2026-1579","modified":"2026-03-15T05:55:34Z","published":"2026-03-15T05:55:34Z","upstream":["CVE-2026-27601"],"summary":"nodejs-underscore security update","details":"Underscore.js is a utility-belt library for JavaScript that provides support for the usual functional suspects (each, map, reduce, filter...) without extending any core JavaScript objects.\r\n\r\nSecurity Fix(es):\n\nUnderscore.js is a utility-belt library for JavaScript. Prior to version 1.13.8, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, an attacker could exploit this to cause a Denial of Service (DoS) attack by triggering a stack overflow. Exploitation requires all of the following: untrusted input must be used to create a deeply recursive data structure (e.g., via `JSON.parse` with no enforced depth limit), and this structure must be passed to `_.flatten` or `_.isEqual`. For `_.flatten`, the attacker must be able to prepare a data structure consisting solely of arrays at all levels, and no finite depth limit must be passed as the second argument to `_.flatten`. For `_.isEqual`, there must exist a code path where two distinct but structurally equivalent data structures, submitted by the same remote client, are compared using `_.isEqual`. Additionally, exceptions resulting from the stack overflow must not be caught. This vulnerability is fixed in version 1.13.8.(CVE-2026-27601)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"nodejs-underscore","purl":"pkg:rpm/openEuler/nodejs-underscore&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.13.8-1.oe2403sp3"}]}],"ecosystem_specific":{"noarch":["js-underscore-1.13.8-1.oe2403sp3.noarch.rpm","nodejs-underscore-1.13.8-1.oe2403sp3.noarch.rpm"],"src":["nodejs-underscore-1.13.8-1.oe2403sp3.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1579"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27601"}],"database_specific":{"severity":"High"}}