{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cpu-exhaustion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/@conform-to/dom (\u003c 1.19.4)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","web-application","denial-of-service","cpu-exhaustion","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity CPU exhaustion vulnerability, identified as CVE-2026-49250, has been discovered in the \u003ccode\u003e@conform-to/dom\u003c/code\u003e npm package, specifically within its \u003ccode\u003eparseSubmission\u003c/code\u003e future API. This vulnerability affects versions greater than or equal to 1.8.0 and less than 1.19.4. The issue arises when the API processes \u003ccode\u003eFormData\u003c/code\u003e or \u003ccode\u003eURLSearchParams\u003c/code\u003e submissions containing a large number of unique field names. An attacker can exploit this by sending a specially crafted submission, causing the parser to repeatedly scan submitted entries during value lookups. This inefficient processing leads to excessive synchronous CPU utilization on the server, ultimately resulting in CPU exhaustion and a denial of service (DoS) condition for the affected application. This vulnerability is critical for applications that accept untrusted or arbitrary form submissions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application using \u003ccode\u003e@conform-to/dom\u003c/code\u003e's \u003ccode\u003eparseSubmission\u003c/code\u003e API for form processing.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request containing \u003ccode\u003eFormData\u003c/code\u003e or \u003ccode\u003eURLSearchParams\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a significantly large number of unique field names within its body.\u003c/li\u003e\n\u003cli\u003eThe victim application receives the request and invokes \u003ccode\u003eparseSubmission\u003c/code\u003e to process the incoming form data.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, \u003ccode\u003eparseSubmission\u003c/code\u003e attempts to look up values by field name.\u003c/li\u003e\n\u003cli\u003eDue to the high volume of unique field names, the parser repeatedly iterates through the entire list of submitted entries for each lookup.\u003c/li\u003e\n\u003cli\u003eThis repeated scanning consumes excessive synchronous CPU cycles on the server hosting the application.\u003c/li\u003e\n\u003cli\u003eThe prolonged CPU exhaustion leads to a denial of service (DoS) for the application, making it unresponsive or unavailable to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-49250 is a denial of service (DoS) condition for applications utilizing the vulnerable \u003ccode\u003e@conform-to/dom\u003c/code\u003e package. If successfully exploited, an attacker can render the web application unresponsive or completely unavailable by causing its CPU resources to be fully consumed. This can lead to significant operational disruption, financial losses due to service downtime, and reputational damage for affected organizations. Any application that processes untrusted form submissions using vulnerable versions of \u003ccode\u003e@conform-to/dom\u003c/code\u003e is at risk, irrespective of the industry sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003enpm/@conform-to/dom\u003c/code\u003e package to version 1.19.4 or higher immediately to patch CVE-2026-49250.\u003c/li\u003e\n\u003cli\u003eImplement request parsing limits \u003cem\u003ebefore\u003c/em\u003e passing data to the Conform \u003ccode\u003eparseSubmission\u003c/code\u003e API. For multipart requests, utilize \u003ccode\u003e@remix-run/form-data-parser\u003c/code\u003e with options such as \u003ccode\u003emaxParts\u003c/code\u003e, \u003ccode\u003emaxTotalSize\u003c/code\u003e, \u003ccode\u003emaxFileSize\u003c/code\u003e, \u003ccode\u003emaxFiles\u003c/code\u003e, and \u003ccode\u003emaxHeaderSize\u003c/code\u003e to mitigate CPU exhaustion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:44:10Z","date_published":"2026-07-03T11:44:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cpu-exhaustion-conform-dom/","summary":"A CPU exhaustion vulnerability (CVE-2026-49250) exists in Conform's `parseSubmission` API when parsing `FormData` or `URLSearchParams` with many unique field names, allowing an attacker to craft a submission that causes excessive synchronous CPU work and potential denial of service by repeatedly scanning submitted entries.","title":"@conform-to/dom Vulnerable to CPU Exhaustion via Crafted Form Submissions","url":"https://feed.craftedsignal.io/briefs/2026-07-cpu-exhaustion-conform-dom/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpu-Exhaustion","version":"https://jsonfeed.org/version/1.1"}