Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10529

shaka-player is vulnerable to Denial of Service

Denial of Service Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Apr 24, 2026

42

Medium Risk

This Affects:

JSshaka-player
4.0.0 - 4.15.38
Fixed in 4.15.39
4.16.0 - 4.16.26
Fixed in 4.16.27
5.0.0 - 5.0.10
Fixed in 5.0.11
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to a denial of service in shaka.util.TXml.parse, where parsing a deeply nested XML manifest can trigger unbounded recursion between parseNode and parseChildren, exhausting the JavaScript call stack and causing a RangeError that may crash the browser tab. An attacker could exploit this by supplying a malicious XML document with extreme nesting depth, causing the parser to fail during processing and disrupting application availability.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

shaka-player is vulnerable to Denial of Service in versions 4.0.0 - 4.15.38, 4.16.0 - 4.16.26 and 5.0.0 - 5.0.10.

How to fix this

Upgrade the shaka-player library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done