Intel

AIKIDO-2026-51812

@maplibre/geojson-vt is vulnerable to Uncontrolled Recursion

Uncontrolled RecursionCVE-2026-58505 Published 3 days ago

75

High Risk

This Affects:

JS@maplibre/geojson-vt
0.0.1 - 6.1.0
Fixed in 6.1.1
Are you affected? Scan for Free

TL;DR

The GeoJSON conversion logic in src/convert.ts uses the mutually recursive functions featureToInternal and convertGeometryCollection without any nesting-depth limit. When a GeoJSONVT instance is constructed with a deeply nested GeometryCollection, the recursion exhausts the Node.js call stack and throws an unhandled RangeError, terminating the process. A remote unauthenticated attacker can trigger a denial of service by submitting a single crafted GeoJSON payload with no non-default options. The fix introduces a MAX_GEOMETRY_COLLECTION_DEPTH cap of 1024 and throws a controlled error before the stack overflows.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@maplibre/geojson-vt is vulnerable to Uncontrolled Recursion in versions 0.0.1 - 6.1.0.

How to fix this

Upgrade the @maplibre/geojson-vt library to the patch version.