CVE-2025-50537
Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references
Description
## Withdrawn Advisory This advisory has been withdrawn because RuleTester is used for testing rules during development and results in a error rather than crashing the application. ## Original Description There is a Stack Overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in `eslint/lib/shared/serialization.js`. The exploit is triggered via the `RuleTester.run()` method, which validates test cases and checks for duplicates. During validation, the internal function `checkDuplicateTestCase()` is called, which in turn uses the `isSerializable()` function for serialization checks. When a circular reference object is passed in, `isSerializable()` enters infinite recursion, ultimately causing a Stack Overflow.
How to fix CVE-2025-50537
To remediate CVE-2025-50537, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 9.26.0 or later
Is CVE-2025-50537 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 9.26.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |