PatchSiren cyber security CVE debrief
CVE-2026-42355 M2Team CVE debrief
NanaZip versions 5.0.1252.0 through 6.0.1697.x contain an uncontrolled recursion vulnerability in the Electron Archive (ASAR) parser. When processing a crafted .asar file with deeply nested JSON in its header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, causing stack exhaustion and process crash. This represents a denial-of-service condition triggered by local user interaction with a malicious archive. The vulnerability was published on 2026-05-12 and last modified on 2026-05-18. M2Team patched this in version 6.0.1698.0.
- Vendor
- M2Team
- Product
- NanaZip
- CVSS
- LOW 3.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
End-users who rely on NanaZip for archive management, particularly those handling Electron application packages or archives from external sources. System administrators managing software deployment tools that may process .asar files. Security teams monitoring for denial-of-service vectors in file parsing applications.
Technical summary
The vulnerability exists in NanaZip's Electron Archive (ASAR) format handler. The ASAR format uses JSON headers to describe file layout within the archive. The parser utilizes nlohmann::json::parse for header deserialization and implements a custom GetAllPaths function to enumerate archive contents. Neither implementation enforces recursion depth limits. A malicious actor can craft an .asar file with deeply nested JSON structures—such as excessively nested objects or arrays—in the header section. When NanaZip attempts to open this file, the recursive descent in both the JSON parser and GetAllPaths causes rapid stack consumption. On Windows systems with default thread stack sizes (typically 1MB), this results in stack overflow exception (0xC00000FD) and process termination. The attack requires local access and user interaction (opening the malicious archive), limiting practical exploitability but enabling denial-of-service attacks against users who handle archives from untrusted sources.
Defensive priority
LOW
Recommended defensive actions
- Upgrade NanaZip to version 6.0.1698.0 or later to eliminate the vulnerability
- Implement application controls to block or quarantine .asar files from untrusted sources until patching is complete
- Monitor for unexpected NanaZip process crashes as potential indicators of exploitation attempts
- Review and update endpoint protection policies to detect anomalous archive parsing behavior
Evidence notes
The vulnerability affects NanaZip from version 5.0.1250.0 (per CPE criteria) or 5.0.1252.0 (per CVE description) through versions before 6.0.1698.0. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L confirms local attack vector requiring user interaction, with low availability impact. CWE-674 (Uncontrolled Recursion) is the primary weakness classification.
Official resources
-
CVE-2026-42355 CVE record
CVE.org
-
CVE-2026-42355 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
The vendor disclosed this vulnerability via GitHub Security Advisory GHSA-4gxf-p4q6-gfrf, with NVD subsequently analyzing and publishing the record.