Apache Thrift
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Thrift.
By the Year
In 2026 there have been 8 vulnerabilities in Apache Thrift with an average score of 7.1 out of ten. Thrift did not have any published security vulnerabilities last year. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 8 | 7.10 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 7.50 |
| 2020 | 0 | 0.00 |
| 2019 | 4 | 7.25 |
| 2018 | 1 | 8.80 |
It may take a day or so for new Thrift vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Thrift Security Vulnerabilities
Uncontrolled Recursion Exposed in Apache Thrift Node.js Bindings <0.23.0
CVE-2026-41636
- April 28, 2026
Uncontrolled Recursion vulnerability in Apache Thrift Node.js bindings This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Stack Exhaustion
OOB Read Vulnerability in Apache Thrift before 0.23.0
CVE-2026-41607
6.5 - Medium
- April 28, 2026
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Out-of-bounds Read
Apache Thrift <0.23.0: Uncontrolled Recursion Vulnerability
CVE-2026-41606
5.3 - Medium
- April 28, 2026
Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Stack Exhaustion
Apache Thrift Int Overflow or Wraparound <0.23.0; Fixed 0.23.0
CVE-2026-41605
7.3 - High
- April 28, 2026
Integer Overflow or Wraparound vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Integer Overflow or Wraparound
CVE-2026-41604: OOB Read in Apache Thrift < 0.23.0
CVE-2026-41604
8.2 - High
- April 28, 2026
Out-of-bounds Read vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Out-of-bounds Read
Apache Thrift CVE-2026-41603: Improper Cert Host Mismatch Before 0.23.0
CVE-2026-41603
7.4 - High
- April 28, 2026
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Improper Validation of Certificate with Host Mismatch
Apache Thrift Go TFramedTransport Integer Overflow (<0.23.0)
CVE-2026-41602
7.5 - High
- April 28, 2026
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Integer Overflow or Wraparound
Apache Thrift 0.23+ Mismatched Memory Mgmt Routines Vulnerability
CVE-2025-48431
7.5 - High
- April 28, 2026
Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message.
Mismatched Memory Management Routines
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages
CVE-2020-13949
7.5 - High
- February 12, 2021
In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Resource Exhaustion
In Apache Thrift all versions up to and including 0.12.0
CVE-2019-0205
7.5 - High
- October 29, 2019
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Infinite Loop
In Apache Thrift 0.9.3 to 0.12.0
CVE-2019-0210
7.5 - High
- October 29, 2019
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
Out-of-bounds Read
Apache Thrift Java client library versions 0.5.0 through 0.11.0
CVE-2018-1320
7.5 - High
- January 07, 2019
Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
Improper Certificate Validation
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in
CVE-2018-11798
6.5 - Medium
- January 07, 2019
The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
Insertion of Sensitive Information into Externally-Accessible File or Directory
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool
CVE-2016-5397
8.8 - High
- February 12, 2018
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
Command Injection
The client libraries in Apache Thrift before 0.9.3 might
CVE-2015-3254
6.5 - Medium
- June 16, 2017
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.
Improper Input Validation
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Thrift or by Apache? Click the Watch button to subscribe.
