CVE-2020-13949

CVE-2020-13949 affects Apache Thrift versions 0.9.3 through 0.13.0. The issue: malicious RPC clients can send short messages that trigger extremely large memory allocations, leading to a denial of service. The connected advisories confirm a remote DoS risk in Thrift with impact on servers handlin...

CVE-2019-0205

CVE-2019-0205 affects Apache Thrift up to version 0.12.0, where a server or client may enter an endless loop when fed specific input data. The issue was partially fixed in 0.11.0, and depending on the language binding, only certain bindings are impacted. Exploitation details are not provided in t...

CVE-2018-11798

The CVE-2018-11798 entry concerns Apache Thrift Node.js static web server (versions 0.9.2–0.11.0) where a remote attacker can access files outside the webroot docroot. Connected sources also reference CVE-2018-1320 in the Thrift TSaslTransport SASL handshake validation issue. NVD metrics cite a b...

CVE-2018-1320

CVE-2018-1320 affects Apache Thrift: Java client library versions 0.5.0–0.11.0. The issue stems from an assert in TSaslTransport.isComplete that validates SASL handshakes; disabling this check can leave SASL negotiation validation incomplete, enabling a security bypass. Multiple connected sources...

CVE-2019-0210

Apache Thrift in versions 0.9.3–0.12.0 has an out-of-bounds read in a Go server using TJSONProtocol/TSimpleJSONProtocol that may panic on invalid input data (CVE-2019-0210). Mitigation via upgrade to newer Thrift versions; Gentoo GLSA 202107-32 recommends >= thrift-0.14.1. Other advisories cor...

CVE-2015-3254

Apache Thrift client libraries before 0.9.3 are affected by CVE-2015-3254, which could allow a remote authenticated user to trigger a denial of service via infinite recursion in the skip function. Impact is a partial denial of service (availability affected) with network access and no confidentia...

CVE-2016-5397

Concisely: CVE-2016-5397 affects the Apache Thrift Go client library. The vulnerability arises from code-generation time where an external formatting tool could allow a remote attacker to execute arbitrary commands, as described for Apache Thrift 0.9.3 and older. The issue is exploitable via Go c...

CVE-2026-41602

CVE-2026-41602: Integer Overflow or Wraparound in Apache Thrift Go TFramedTransport (uint32 overflow) affecting Thrift before 0.23.0. Affected component: Apache Thrift’s Go TFramedTransport implementation. Root cause: uint32 overflow/wraparound in framing transport handling. Impact: potential ove...

CVE-2026-43868

CVE-2026-43868 affects Apache Thrift prior to 0.23.0, where a memory-allocation vulnerability is triggered by excessive size values in RPC messages, potentially enabling a denial of service. The issue is mitigated by upgrading to Thrift 0.23.0 or later. The provided sources confirm the affected v...

CVE-2026-41606

CVE-2026-41606 describes an Uncontrolled Recursion vulnerability in Apache Thrift affecting versions prior to 0.23.0 . The issue is triggered in the Thrift stack (specific component/file not disclosed in the provided documents) and can be remedied by upgrading to 0.23.0 or later. The available so...

CVE-2026-41636

CVE-2026-41636 describes an Uncontrolled Recursion vulnerability in the Apache Thrift Node.js bindings. Affected software is Apache Thrift versions prior to 0.23.0. The issue is mitigated by upgrading to Thrift 0.23.0, which fixes the problem. The available documents do not specify exact affected...

CVE-2026-43869

The CVE-2026-43869 issue is an Improper Validation of Certificate with Host Mismatch in Apache Thrift, arising from hostname verification in TSSLTransportFactory.java. Affected software: Apache Thrift before 0.23.0. Consequence: potential trust/bypass risks due to invalid host certificate checks....

CVE-2026-43870

Apache Thrift (before 0.23.0) contains multiple issues: Origin Validation Error, Path Traversal (improper limitation of a pathname to a restricted directory), HTTP header CRLF-related splitting, and uncontrolled resource consumption. Upgrade to 0.23.0 to fix. Exploitation status is not provided i...

CVE-2026-41603

CVE-2026-41603 : This vulnerability is in Apache Thrift, specifically an improper validation of a certificate when the host name mismatches during TLS. It affects Apache Thrift versions before 0.23.0. The recommended fix is to upgrade to version 0.23.0, which resolves the issue. The available sou...

CVE-2026-41604

The CVE-2026-41604 entry concerns an Out-of-bounds Read vulnerability in Apache Thrift, affecting versions prior to 0.23.0. The vulnerability is characterized by its impact on confidentiality and availability (CVSS v3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) with a HIGH base score (8.2). Affected ...

CVE-2026-41605

CVE-2026-41605 is an Integer Overflow or Wraparound vulnerability in Apache Thrift affecting versions before 0.23.0 . Public descriptions consistently recommend upgrading to 0.23.0 to fix the issue. Connected sources confirm the vendor/product and the upgrade path; no exploit details or active ve...

CVE-2025-48431

The CVE-2025-48431 affects Apache Thrift c_glib bindings (c_glib language bindings) prior to 0.23.0. The issue is a Mismatched Memory Management Routines vulnerability that can cause a crash in a c_glib-based Thrift server via specially crafted requests, producing a fatal "+free(): invalid pointe...

CVE-2026-41607

CVE-2026-41607 is an out-of-bounds read vulnerability in Apache Thrift (C++ JSON OOB read) affecting versions prior to 0.23.0. Upgrading to 0.23.0 fixes the issue. Exploitation details are not provided in the connected documents; no additional affected components or vectors are specified.