Denial of Service Vulnerability in fzf by junegunn
CVE-2026-53433

5.7MEDIUM

Key Information:

Vendor: Fzf
Status: Fzf
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-53433?

fzf has a vulnerability that enables Denial of Service (DoS) attacks due to inefficient handling of HTTP body processing in --listen mode. The flaw arises from an inefficient approach to repeated string concatenation, leading to a quadratic time complexity (O(n²)). A crafted POST request can exploit this vulnerability by sending small segments repeatedly, resulting in excessive CPU usage. This monopolizes the single-threaded HTTP server, effectively blocking all other clients and causing a denial of service. The issue has been addressed in version 0.73.1.

Affected Version(s)

fzf 0 < 0.73.1

References

https://cert.pl/en/posts/2026/06/CVE-2026-53432

third-party-advisory

https://github.com/junegunn/fzf

product

https://github.com/junegunn/fzf/commit/7963a2c6586c0b9eaa...

issue-tracking

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Michał Majchrowicz (AFINE Team)

Marcin Wyczechowski (AFINE Team)

CVE-2026-53433 Data

JSON

Fzf

What is CVE-2026-53433?

Affected Version(s)

References

CVSS V4

Timeline

Credit