Resource exhaustion in Boazsegev Facil.io

CVE-2026-41146

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (19.1th percentile) — read the EPSS interpretation.

Affected products

Boazsegev Facil.io — versions < 5128747363055201d3ecf0e29bf0a961703c9fa0
Boazsegev Iodine — versions < 0.7.59

Weakness classification (CWE)

References

https://github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxm (x_refsource_CONFIRM)
https://github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0 (x_refsource_MISC)