CVE-2026-42355 — LOW (3.3) — White Hats Nepal

Q: How severe is CVE-2026-42355?

CVE-2026-42355 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-42355?

Check the references section above for vendor advisories and patch information. Affected products include: M2Team Nanazip.

Vulnerability Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's GetAllPaths function recurse without depth limits, exhausting the thread stack and crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

CVSS Score

3.3

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
M2Team	Nanazip	>= 5.0.1250.0, < 6.0.1698.0

Related Weaknesses (CWE)

CWE-674

References

https://github.com/M2Team/NanaZip/security/advisories/GHSA-4gxf-p4q6-gfrfMitigationVendor Advisory

FAQ

What is CVE-2026-42355?

CVE-2026-42355 is a vulnerability with a CVSS score of 3.3 (LOW). NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .a...

How severe is CVE-2026-42355?

CVE-2026-42355 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-42355?

Check the references section above for vendor advisories and patch information. Affected products include: M2Team Nanazip.