CVE-2025-50537

NameCVE-2025-50537
DescriptionStack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eslint (PTS)bullseye5.16.0~dfsg+~4.16.8-5undetermined
bookworm6.4.0~dfsg+~6.1.9-7undetermined
forky, sid, trixie6.4.0~dfsg+~6.1.9-12undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eslintsource(unstable)undetermined

Notes

https://github.com/eslint/eslint/issues/19646
check details
Search for package or bug name: Reporting problems