<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpu-Exhaustion - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cpu-exhaustion/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:44:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cpu-exhaustion/feed.xml" rel="self" type="application/rss+xml"/><item><title>@conform-to/dom Vulnerable to CPU Exhaustion via Crafted Form Submissions</title><link>https://feed.craftedsignal.io/briefs/2026-07-cpu-exhaustion-conform-dom/</link><pubDate>Fri, 03 Jul 2026 11:44:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cpu-exhaustion-conform-dom/</guid><description>A CPU exhaustion vulnerability (CVE-2026-49250) exists in Conform's `parseSubmission` API when parsing `FormData` or `URLSearchParams` with many unique field names, allowing an attacker to craft a submission that causes excessive synchronous CPU work and potential denial of service by repeatedly scanning submitted entries.</description><content:encoded><![CDATA[<p>A high-severity CPU exhaustion vulnerability, identified as CVE-2026-49250, has been discovered in the <code>@conform-to/dom</code> npm package, specifically within its <code>parseSubmission</code> future API. This vulnerability affects versions greater than or equal to 1.8.0 and less than 1.19.4. The issue arises when the API processes <code>FormData</code> or <code>URLSearchParams</code> submissions containing a large number of unique field names. An attacker can exploit this by sending a specially crafted submission, causing the parser to repeatedly scan submitted entries during value lookups. This inefficient processing leads to excessive synchronous CPU utilization on the server, ultimately resulting in CPU exhaustion and a denial of service (DoS) condition for the affected application. This vulnerability is critical for applications that accept untrusted or arbitrary form submissions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a web application using <code>@conform-to/dom</code>'s <code>parseSubmission</code> API for form processing.</li>
<li>The attacker crafts a malicious HTTP POST request containing <code>FormData</code> or <code>URLSearchParams</code>.</li>
<li>The crafted request includes a significantly large number of unique field names within its body.</li>
<li>The victim application receives the request and invokes <code>parseSubmission</code> to process the incoming form data.</li>
<li>During the parsing process, <code>parseSubmission</code> attempts to look up values by field name.</li>
<li>Due to the high volume of unique field names, the parser repeatedly iterates through the entire list of submitted entries for each lookup.</li>
<li>This repeated scanning consumes excessive synchronous CPU cycles on the server hosting the application.</li>
<li>The prolonged CPU exhaustion leads to a denial of service (DoS) for the application, making it unresponsive or unavailable to legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-49250 is a denial of service (DoS) condition for applications utilizing the vulnerable <code>@conform-to/dom</code> package. If successfully exploited, an attacker can render the web application unresponsive or completely unavailable by causing its CPU resources to be fully consumed. This can lead to significant operational disruption, financial losses due to service downtime, and reputational damage for affected organizations. Any application that processes untrusted form submissions using vulnerable versions of <code>@conform-to/dom</code> is at risk, irrespective of the industry sector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>npm/@conform-to/dom</code> package to version 1.19.4 or higher immediately to patch CVE-2026-49250.</li>
<li>Implement request parsing limits <em>before</em> passing data to the Conform <code>parseSubmission</code> API. For multipart requests, utilize <code>@remix-run/form-data-parser</code> with options such as <code>maxParts</code>, <code>maxTotalSize</code>, <code>maxFileSize</code>, <code>maxFiles</code>, and <code>maxHeaderSize</code> to mitigate CPU exhaustion.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>vulnerability</category><category>web-application</category><category>denial-of-service</category><category>cpu-exhaustion</category><category>npm</category></item></channel></rss>