Vulnerability Details CVE-2026-42355
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.7%
CVSS Severity
CVSS v3 Score 3.3
Products affected by CVE-2026-42355
-
cpe:2.3:a:m2team:nanazip:5.0.1250.0
-
cpe:2.3:a:m2team:nanazip:5.0.1252.0
-
cpe:2.3:a:m2team:nanazip:5.0.1263.0
-
cpe:2.3:a:m2team:nanazip:5.1.1252.0
-
cpe:2.3:a:m2team:nanazip:5.1.1263.0
-
cpe:2.3:a:m2team:nanazip:6.0.1461.0
-
cpe:2.3:a:m2team:nanazip:6.0.1621.0
-
cpe:2.3:a:m2team:nanazip:6.0.1630.0
-
cpe:2.3:a:m2team:nanazip:6.0.1632.0