Apache Thrift security advisories

Security information for Apache Thrift

Reporting

Do you want disclose a potential security issue for Apache Thrift? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Node.js web_server.js multi-vulnerability

CVE-2026-43870 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-05T07:45:34.804Z

Affected

  • Apache Thrift before 0.23.0

Description

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

TSSLTransportFactory.java hostname verification

CVE-2026-43869 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-05T07:25:46.713Z

Affected

  • Apache Thrift before 0.23.0

Description

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Rust implementation vulnerable to CVE-2020-13949 pattern

CVE-2026-43868 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-05T07:49:46.378Z

Affected

  • Apache Thrift before 0.23.0

Description

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Node.js skip() recursion

CVE-2026-41636 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-18T16:56:58.433Z

Affected

  • Apache Thrift before 0.23.0

Description

Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

  • Sion Park (L3G4CY Security Research) (finder)
  • Yu Bao – yubao@paypal.com (finder)

C++ JSON OOB read

CVE-2026-41607 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-28T09:21:46.727Z

Affected

  • Apache Thrift before 0.23.0

Description

Out-of-bounds Read vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

  • Hasnain Lakhani (finder)

c_glib dispatch stack overflow

CVE-2026-41606 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-28T09:21:09.783Z

Affected

  • Apache Thrift before 0.23.0

Description

Uncontrolled Recursion vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

  • Hasnain Lakhani (finder)

Swift Compact Protocol integer overflow

CVE-2026-41605 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-28T09:20:43.166Z

Affected

  • Apache Thrift before 0.23.0

Description

Integer Overflow or Wraparound vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

  • Hasnain Lakhani (finder)

Swift Range crash in skip()

CVE-2026-41604 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-28T09:20:12.306Z

Affected

  • Apache Thrift before 0.23.0

Description

Out-of-bounds Read vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

  • Hasnain Lakhani (finder)

Java TSSLTransportFactory hostname verification

CVE-2026-41603 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-18T16:57:00.465Z

Affected

  • Apache Thrift before 0.23.0

Description

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

Go TFramedTransport uint32 overflow

CVE-2026-41602 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-28T09:19:05.731Z

Affected

  • Apache Thrift before 0.23.0

Description

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References

Credits

  • 김범수 (finder)

Specially crafted input can crash a c_glib Thrift server with invalid pointer error.

CVE-2025-48431 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-28T09:11:42.895Z

Affected

  • Apache Thrift before 0.23.0

Description

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.

References

Credits

  • Hasnain Lakhani (finder)
  • Hasnain Lakhani (remediation developer)