Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
"}],"value":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-346","description":"CWE-346 Origin Validation Error","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-22","description":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-113","description":"CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-400","description":"CWE-400 Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-05T07:45:35.699Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Thrift: Node.js web_server.js multi-vulnerability","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2026-43870","datePublished":"2026-05-05T07:45:35.699Z","dateReserved":"2026-05-04T14:24:45.315Z","dateUpdated":"2026-05-05T08:49:35.528Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 09:16:04","lastModifiedDate":"2026-05-05 10:16:22","problem_types":["CWE-22","CWE-113","CWE-346","CWE-400","CWE-346 CWE-346 Origin Validation Error","CWE-22 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-113 CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","CWE-400 CWE-400 Uncontrolled Resource Consumption"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43870","Ordinal":"1","Title":"Apache Thrift: Node.js web_server.js multi-vulnerability","CVE":"CVE-2026-43870","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43870","Ordinal":"1","NoteData":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.","Type":"Description","Title":"Apache Thrift: Node.js web_server.js multi-vulnerability"}]}}}