CVE-2025-50537

MEDIUM

eslint <9.26.0 - Buffer Overflow

Title source: llm

Description

Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.

References (2)

[Third Party Advisory] https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/eslint/eslint/issues/19646

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (2)

npm/eslint 0 - 9.26.0npm

openjsf/eslint < 9.26.0

Published Jan 26, 2026

Tracked Since Feb 18, 2026