Vulnerability Report

CVE-2025-50537

Title: Stack Overflow in eslint due to Circular References

Other

Proof Of Concept

No public PoC currently indexed for CVE-2025-50537.

CWE Category NVD-CWE-noinfo

Published Date Jan 26, 2026

Modified Date Feb 04, 2026

Exploit Status Not Found

Score 5.5 CVSS v

Exploit Probability (EPSS)

0.03%

Vulnerability Summary

CVE-2025-50537: Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.

Impacted Vendors

microsoft 1

openjsf 1

Reference Links

https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc https://github.com/eslint/eslint/issues/19646

CVSS v3.1

Source Entity 134c704f-9b21-4f2e-91b3-4a467353bcc0

Severity MEDIUM

5.5

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns