πŸ’» AppSec

Apache Thrift 0.23.0 Patches Out-of-Bounds Read (CVE-2026-41604) and Node.js Uncontrolled Recursion DoS (CVE-2026-41636)

Apache Thrift 0.23.0 addresses two vulnerabilities: CVE-2026-41604, an out-of-bounds read in the binary protocol parser affecting all language bindings that can crash Thrift-based services and potentially leak memory contents; and CVE-2026-41636, an uncontrolled recursion flaw in the Node.js library that enables remote denial of service via deeply nested Thrift structures. Organisations operating Thrift-based microservices or inter-service RPC should upgrade to 0.23.0.

4 min read
#apache-thrift#rpc#cve-2026-41604#cve-2026-41636#out-of-bounds#denial-of-service#nodejs#microservices

Apache Thrift β€” the cross-language RPC framework originating at Facebook and widely used for high-performance inter-service communication in microservice architectures β€” has released version 0.23.0 patching two security vulnerabilities. CVE-2026-41604 is an out-of-bounds read in the binary protocol parser that affects all language bindings and can be triggered by any client that can send a Thrift request. CVE-2026-41636 is an uncontrolled recursion vulnerability in the JavaScript/Node.js library that allows remote denial of service through crafted deeply nested structures.

CVE-2026-41604 β€” Out-of-Bounds Read in Binary Protocol Parser

CVSS: 7.5 β€” HIGH

The Apache Thrift binary protocol parser, used by default in most Thrift deployments across all language bindings (Java, C++, Python, Go, Ruby, PHP, and others), contains an out-of-bounds read when processing a malformed field length header. When a Thrift binary protocol message specifies a field of a container type (list, set, map) with a size value that exceeds the remaining bytes in the read buffer, the parser reads beyond the allocated buffer rather than returning a protocol error.

The consequences depend on the target language binding and memory allocator:

  • C++ and native bindings: heap read past the allocation boundary β€” process crash (SIGSEGV) or potential information disclosure from adjacent heap memory
  • JVM-based bindings (Java, Kotlin, Scala): BufferUnderflowException leading to service exception; no memory disclosure but DoS against the service thread handling the connection
  • Go binding: bounds-checked slice access returns an explicit error; process does not crash but connection handling fails
  • Python and Ruby bindings: similar to JVM β€” exception-based, DoS without information disclosure

The vulnerability is triggered by any network peer that can send Thrift requests to the service β€” meaning it is exploitable by external clients if the Thrift service is internet-facing, or by any internal service that can reach the Thrift endpoint in an internal RPC mesh.

CVE-2026-41636 β€” Uncontrolled Recursion in Node.js Library

CVSS: 7.3 β€” HIGH

The Apache Thrift JavaScript/Node.js library’s deserialisation path for nested Thrift structures β€” structs containing fields of struct type, or container types (list/map/set) whose elements are themselves structs β€” uses recursive function calls to process each nested level. No depth limit is enforced on this recursion.

A remote attacker can craft a Thrift request containing a deeply nested structure (experimentally, approximately 8,000–12,000 levels on standard Node.js V8 stack configurations) that exhausts the V8 call stack, causing an unhandled RangeError: Maximum call stack size exceeded. In Node.js, this unhandled exception terminates the process if uncaught, or the worker/cluster child process if the application uses the cluster module.

Organisations running Thrift-based Node.js backend services β€” including those that use Thrift for BFF (backend-for-frontend) layers, API gateway middleware, or Node.js-based sidecar proxies β€” should treat this as a remote DoS vulnerability that can be triggered without authentication from any client able to send Thrift binary protocol messages.

Affected Versions

Both CVEs affect Apache Thrift versions prior to 0.23.0. No version-specific exemptions apply β€” all prior releases are affected for CVE-2026-41604 (all language bindings) and CVE-2026-41636 (Node.js binding specifically).

Remediation

Upgrade to Apache Thrift 0.23.0, which:

  • Adds bounds validation in the binary protocol parser before container field reads (CVE-2026-41604)
  • Implements a configurable recursion depth limit in the Node.js deserialiser, defaulting to 64 levels (CVE-2026-41636)

If immediate upgrade is not feasible:

  • CVE-2026-41604: Deploy a network-layer filter or API gateway that validates minimum Thrift message structure before forwarding to backend services. This is operationally complex and upgrade is strongly preferred.
  • CVE-2026-41636: Wrap Node.js Thrift server handler calls in try/catch blocks to prevent stack overflow from terminating the process; this reduces impact to connection-level errors rather than process termination, but does not prevent the recursion from consuming stack memory.

Enterprise Context

Apache Thrift is widely deployed in the internal RPC layer of organisations that adopted microservices architectures during the 2015–2020 period, particularly in financial services, media streaming, and e-commerce platforms. Unlike REST/gRPC, which has seen significant security tooling attention, Thrift’s binary protocol often sits in internal network segments with less input validation scrutiny. Organisations should audit their Thrift service deployments, confirm which language bindings are in use, and prioritise the 0.23.0 upgrade for any services accessible from less-trusted network segments or from external clients.

Share this article