Apache Thrift <0.23.0 PT, HTS, Resource Exhaustion - CVE-2026-43870
CVE-2026-43870 Published on May 5, 2026

Apache Thrift: Node.js web_server.js multi-vulnerability
Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-43870 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Types

Origin Validation Error

The software does not properly verify that the source of data or communication is valid.

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-43870 has been classified to as a Directory traversal vulnerability or weakness.

What is a HTTP Response Splitting Vulnerability?

The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CVE-2026-43870 has been classified to as a HTTP Response Splitting vulnerability or weakness.

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2026-43870 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2026-43870

Want to know whenever a new CVE is published for Apache Thrift? stack.watch will email you.

Apache Thrift
 

Affected Versions

Apache Software Foundation Apache Thrift: