Problem/Motivation

Drupal core currently includes Underscore.js 1.13.7, which is affected by CVE-2026-27601.

In versions prior to 1.13.8, the functions .flatten and .isEqual use recursion without a depth limit. Under specific conditions, this can lead to a stack overflow and be exploited as a Denial of Service (DoS).

The vulnerability is classified as:

CWE-770: Allocation of Resources Without Limits or Throttling

CVSS v4 Base Score: 8.2 (HIGH)

CVSS v3.1 Base Score: 7.5 (HIGH)

The issue is fixed in Underscore.js 1.13.8.

References:

https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hp...

https://underscorejs.org/#1.13.8

Create a deeply nested recursive data structure from untrusted input (e.g., via JSON.parse without depth validation).

Pass the structure to .flatten without specifying a finite depth limit,
or compare two attacker-controlled structures using .isEqual.

Trigger a stack overflow leading to a Denial of Service condition.

Update the bundled Underscore.js library in Drupal core from 1.13.7 to 1.13.8, which includes the upstream fix.

Update the Underscore.js library to version 1.13.8.

Verify no regressions in core JavaScript behaviors.

Confirm library metadata and license headers remain accurate.

Run automated tests.

Proposed resolution

Updated Underscore.js from 1.13.7 to 1.13.8 to address CVE-2026-27601 (Denial of Service vulnerability related to uncontrolled recursion in .flatten and .isEqual).

CommentFileSizeAuthor
gmv-core-underscore-1.13.8.patch113.72 KBalfaro

Issue fork drupal-3578028

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

alfaro created an issue. See original summary.

cilefen’s picture

cilefen commented
Version: 10.5.x-dev » main
Status: Active » Needs work
Issue tags: -Update Underscore.js to the latest version +Needs merge request

longwave made their first commit to this issue’s fork.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Status: Needs work » Needs review
Issue tags: -Needs merge request

MR is the result of:

cd core
yarn add -D underscore
yarn vendor-update

longwave opened merge request !15031

smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

LGTM, since it’s a patch release don’t see anything that broke

quietone’s picture

quietone commented
Title: Drupal core currently includes Underscore.js 1.13.7, which is affected by CVE-2026-27601 » Update underscore.js to 1.13.8

  • catch committed d6d3621d on main 
    task: #3578028 Update underscore.js to 1.13.8

By: alfaro
By: longwave

catch closed merge request !15031

  • catch committed a0e1b4ec on 11.3.x 
    task: #3578028 Update underscore.js to 1.13.8

By: alfaro
By: longwave
(...

  • catch committed 8bc541e2 on 11.x 
    task: #3578028 Update underscore.js to 1.13.8

By: alfaro
By: longwave
(...
catch’s picture

catch
he/him
Primary language English
commented
Version: main » 11.3.x-dev
Status: Reviewed & tested by the community » Fixed

Committed/pushed to main, 11.x, and 11.3.x, thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.