CVE-2026-42355

3.3 LOW

NanaZip is an open source file archive

Published: 2026-05-12 · Last updated: 2026-05-18

Severity and scoring

CVSS: 3.3 LOW
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-674

Affected products

Vendor	Product
m2team	nanazip

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42355
[Vendor advisory]https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf

Related CVEs

Same vendor

CVE-2026-42444 — NanaZip is an open source file archive (3.3 LOW)
CVE-2026-42443 — NanaZip is an open source file archive (3.3 LOW)
CVE-2026-42442 — NanaZip is an open source file archive (3.3 LOW)

Same CWE

CVE-2026-48734 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-46557 — ImageMagick is free and open-source software used for editing and manipulating digital images (6.2 MEDIUM)
CVE-2026-46689 — Kanidm is an identity management platform
CVE-2026-45664 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)
CVE-2026-9740 — A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a special... (7.5 HIGH)