Intel

AIKIDO-2026-158991

toml is vulnerable to Uncontrolled Recursion

Uncontrolled RecursionGHSA-82x6-q7mm-w9cf Published Yesterday

75

High Risk

This Affects:

JStoml
0.0.1 - 4.1.2
Fixed in 4.2.0
Are you affected? Scan for Free

TL;DR

The TOML parser previously used recursive-descent parsing where deeply nested arrays/inline tables could overflow the JavaScript call stack, crashing the process with an uncatchable RangeError (DoS). Version 4.2.0 fixes this by adding a configurable nesting-depth bound (default 500 via toml.parse(input, { maxDepth })) enforced in the parser grammar/logic; inputs exceeding the limit now fail with a normal parse error instead of a runtime stack overflow.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

toml is vulnerable to Uncontrolled Recursion in versions 0.0.1 - 4.1.2.

How to fix this

Upgrade the toml library to the patch version.