← Back
2026-05-12 19:20CVE-2026-42355GitHub_M
PUBLISHED5.2CWE-674

NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

Problem type

Affected products

M2Team

NanaZip

>= 5.0.1250.0, < 6.0.1698.0 - AFFECTED

References

https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf

https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf

x_refsource_CONFIRM

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-42355
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-42355",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-12T19:20:35.273Z",
    "dateReserved": "2026-04-26T13:26:14.516Z",
    "datePublished": "2026-05-12T19:20:35.273Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-12T19:20:35.273Z"
      },
      "title": "NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion",
      "descriptions": [
        {
          "lang": "en",
          "value": "NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0."
        }
      ],
      "affected": [
        {
          "vendor": "M2Team",
          "product": "NanaZip",
          "versions": [
            {
              "version": ">= 5.0.1250.0, < 6.0.1698.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-674: Uncontrolled Recursion",
              "cweId": "CWE-674",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf",
          "name": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "attackVector": "LOCAL",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "REQUIRED",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "availabilityImpact": "LOW",
            "baseScore": 3.3,
            "baseSeverity": "LOW"
          }
        }
      ]
    }
  }
}