CVE-2026-43870

HIGH

Apache Thrift: Node.js web_server.js multi-vulnerability

Title source: cna

Description

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/05/4

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 7.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-113 CWE-22 CWE-346 CWE-400

Status published

Products (3)

apache/thrift < 0.23.0

Apache Software Foundation/Apache Thrift < 0.23.0

npm/thrift 0 - 0.22.0npm

Published May 05, 2026

Tracked Since May 05, 2026