CVE-2026-39376

HIGH

FastFeedParser has an infinite redirect loop DoS via meta-refresh chain

Title source: cna

Description

FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack and crashing the process. This vulnerability can also be chained with the companion SSRF issue to reach internal network targets after bypassing the initial URL check. This vulnerability is fixed in 0.5.10.

Exploits (1)

nomisec WRITEUP

by redyank · poc

https://github.com/redyank/CVE-2026-39376

View Code ZIP pw:eip

References (1)

[X_Refsource_Confirm] https://github.com/kagisearch/fastfeedparser/security/advisories/GHSA-4gx2-pc4f-wq37

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-674

Status published

Products (3)

kagi/fastfeedparser < 0.5.10

kagisearch/fastfeedparser < 0.5.10

pypi/fastfeedparser 0 - 0.5.10PyPI

Published Apr 07, 2026

Tracked Since Apr 08, 2026