Uncontrolled Recursion Vulnerability in NanaZip Open Source File Archive
CVE-2026-42355

3.3LOW

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42355?

NanaZip, an open-source file archive tool, is susceptible to an uncontrolled recursion vulnerability within its Electron Archive (ASAR) parser. This issue is triggered when a specially crafted .asar file containing deeply nested JSON headers is opened. The recursive calls within the nlohmann::json::parse and the GetAllPaths function can lead to exhaustion of the thread stack, ultimately causing the NanaZip process to crash. Users are recommended to upgrade to version 6.0.1698.0 or later for protection against this vulnerability.

Affected Version(s)

NanaZip >= 5.0.1250.0, < 6.0.1698.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42355 Data

JSON

M2team

What is CVE-2026-42355?

Affected Version(s)

References

CVSS V3.1

Timeline