Apache Thrift security advisories
Security information for Apache Thrift
Reporting
Do you want disclose a potential security issue for Apache Thrift? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Node.js web_server.js multi-vulnerability
CVE-2026-43870 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-05T07:45:34.804Z
Affected
- Apache Thrift before 0.23.0
Description
Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
TSSLTransportFactory.java hostname verification
CVE-2026-43869 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-05T07:25:46.713Z
Affected
- Apache Thrift before 0.23.0
Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Rust implementation vulnerable to CVE-2020-13949 pattern
CVE-2026-43868 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-05T07:49:46.378Z
Affected
- Apache Thrift before 0.23.0
Description
Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Node.js skip() recursion
CVE-2026-41636 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-18T16:56:58.433Z
Affected
- Apache Thrift before 0.23.0
Description
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- Sion Park (L3G4CY Security Research) (finder)
- Yu Bao – yubao@paypal.com (finder)
C++ JSON OOB read
CVE-2026-41607 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-28T09:21:46.727Z
Affected
- Apache Thrift before 0.23.0
Description
Out-of-bounds Read vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- Hasnain Lakhani (finder)
c_glib dispatch stack overflow
CVE-2026-41606 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-28T09:21:09.783Z
Affected
- Apache Thrift before 0.23.0
Description
Uncontrolled Recursion vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- Hasnain Lakhani (finder)
Swift Compact Protocol integer overflow
CVE-2026-41605 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-28T09:20:43.166Z
Affected
- Apache Thrift before 0.23.0
Description
Integer Overflow or Wraparound vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- Hasnain Lakhani (finder)
Swift Range crash in skip()
CVE-2026-41604 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-28T09:20:12.306Z
Affected
- Apache Thrift before 0.23.0
Description
Out-of-bounds Read vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- Hasnain Lakhani (finder)
Java TSSLTransportFactory hostname verification
CVE-2026-41603 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-18T16:57:00.465Z
Affected
- Apache Thrift before 0.23.0
Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- Yu Bao – yubao@paypal.com (finder)
- (finder)
Go TFramedTransport uint32 overflow
CVE-2026-41602 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-28T09:19:05.731Z
Affected
- Apache Thrift before 0.23.0
Description
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
References
Credits
- 김범수 (finder)
Specially crafted input can crash a c_glib Thrift server with invalid pointer error.
CVE-2025-48431 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-28T09:11:42.895Z
Affected
- Apache Thrift before 0.23.0
Description
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.
References
Credits
- Hasnain Lakhani (finder)
- Hasnain Lakhani (remediation developer)