@maplibre/geojson-vt is vulnerable to Uncontrolled Recursion
75
High Risk
The GeoJSON conversion logic in src/convert.ts uses the mutually recursive functions featureToInternal and convertGeometryCollection without any nesting-depth limit. When a GeoJSONVT instance is constructed with a deeply nested GeometryCollection, the recursion exhausts the Node.js call stack and throws an unhandled RangeError, terminating the process. A remote unauthenticated attacker can trigger a denial of service by submitting a single crafted GeoJSON payload with no non-default options. The fix introduces a MAX_GEOMETRY_COLLECTION_DEPTH cap of 1024 and throws a controlled error before the stack overflows.
You are affected if you are using a version that falls within the vulnerable range.
@maplibre/geojson-vt is vulnerable to Uncontrolled Recursion in versions 0.0.1 - 6.1.0.
Upgrade the @maplibre/geojson-vt library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant