CVE-2026-53433
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A vulnerability in fzf's --listen mode causes a Denial of Service (DoS) due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage, monopolizing the single-threaded HTTP server and blocking all other clients.
Risk Assessment
The risk is that a single malicious request can completely block the HTTP server in --listen mode, causing service unavailability for all other users.
Recommendation
Immediately update fzf to version 0.73.1 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to inefficient HTTP body processing using repeated string concatenation, resulting in quadratic time complexity (O(n²)). A crafted POST request with many small segments can trigger excessive CPU usage during request handling.This allows a single malicious request to monopolize the single‑threaded HTTP server, blocking all other clients and resulting in denial of service. This issue was fixed in version 0.73.1.

