CVE-2026-53433 MEDIUM

CVE-2026-53433: Denial of Service in fzf

Vendor Fzf
Product fzf
Weakness CWE-407
Published June 30, 2026
Last update June 30, 2026

CVSS base score

5.7/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service. This issue was fixed in version 0.73.1.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
June 30, 2026 Record updated