threat
engine
.sh
Back
·
··:··
Home
/
Product
/
apache thrift
Product
apache thrift
27 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-43870
< 0.23.0
Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization o
7.3
HIGH
CVE-2026-43868
< 0.23.0
Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Use
5.3
MEDIUM
CVE-2026-43869
< 0.23.0
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.
7.3
HIGH
CVE-2026-41636
< 0.23.0
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users ar
7.5
HIGH
CVE-2026-41607
< 0.23.0
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upg
6.5
MEDIUM
CVE-2026-41606
< 0.23.0
Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to
5.3
MEDIUM
CVE-2026-41605
< 0.23.0
Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recomm
7.3
HIGH
CVE-2026-41604
< 0.23.0
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upg
8.2
HIGH
CVE-2026-41603
< 0.23.0
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.
7.4
HIGH
CVE-2026-41602
< 0.23.0
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apac
7.5
HIGH
CVE-2025-48431
< 0.23.0
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift:
7.5
HIGH
CVE-2021-24028
< 2021.02.22.00
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution o
9.8
CRITICAL
CVE-2020-13949
>= 0.9.3 and <= 0.13.0
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation,
7.5
HIGH
CVE-2019-11939
< 2020.03.16.00
Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a
7.5
HIGH
CVE-2019-3553
< 2020.02.03.00
C++ Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a re
7.5
HIGH
CVE-2019-11938
< 2019.12.09.00
Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a r
7.5
HIGH
CVE-2019-0210
>= 0.9.3 and <= 0.12.0
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with i
7.5
HIGH
CVE-2019-0205
<= 0.12.0
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific
7.5
HIGH
CVE-2019-3565
< 2019.05.06.00
Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would not error upon receiving messages with containers of fields o
7.5
HIGH
CVE-2019-3564
< 2019.03.04.00
Go Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicio
7.5
HIGH
CVE-2019-3559
< 2019.02.18.00
Java Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malic
7.5
HIGH
CVE-2019-3558
< 2019.02.18.00
Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, mal
7.5
HIGH
CVE-2019-3552
< 2019.02.18.00
C++ Facebook Thrift servers (using cpp2) would not error upon receiving messages with containers of fields of unknown type. As a r
7.5
HIGH
CVE-2018-1320
>= 0.5.0 and <= 0.11.0
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apach
7.5
HIGH
CVE-2018-11798
>= 0.9.2 and <= 0.11.0
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerabil
6.5
MEDIUM
CVE-2016-5397
<= 0.9.3
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external fo
8.8
HIGH
CVE-2015-3254
<= 0.9.2
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite r
6.5
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin