GHSA-3W5P-95MH-GQ75

Vulnerability from github – Published: 2026-06-18 13:05 – Updated: 2026-06-18 13:05
VLAI
Summary
NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation
Details

Impact

A denial-of-service (DoS) vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in the factorial calculation logic.

Applications that evaluate untrusted expressions using affected versions of NCalc may be vulnerable to resource exhaustion, potentially resulting in service disruption or application unresponsiveness.

This issue can be triggered with expressions such as:

99999999999999!
9223372036854775807!
1.5e16!

Patches

The vulnerability has been fixed by adding bounds validation for factorial operands and rejecting unsupported values before evaluation.

Users should upgrade to the first release containing the fix from pull request #575. (v6.1.1+)

Workarounds

If upgrading is not immediately possible:

  • Do not evaluate expressions originating from untrusted users.
  • Validate or sanitize expressions before evaluation and reject factorial operations on large values.
  • Implement execution time limits, request timeouts, or cancellation mechanisms around expression evaluation.

These mitigations may reduce exposure but do not fully address the underlying vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "NCalc.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "NCalcSync"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:05:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA denial-of-service (DoS) vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in the factorial calculation logic.\n\nApplications that evaluate untrusted expressions using affected versions of NCalc may be vulnerable to resource exhaustion, potentially resulting in service disruption or application unresponsiveness.\n\nThis issue can be triggered with expressions such as:\n\n```text\n99999999999999!\n9223372036854775807!\n1.5e16!\n```\n\n### Patches\n\nThe vulnerability has been fixed by adding bounds validation for factorial operands and rejecting unsupported values before evaluation.\n\nUsers should upgrade to the first release containing the fix from pull request #575. (**v6.1.1+**)\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n* Do not evaluate expressions originating from untrusted users.\n* Validate or sanitize expressions before evaluation and reject factorial operations on large values.\n* Implement execution time limits, request timeouts, or cancellation mechanisms around expression evaluation.\n\nThese mitigations may reduce exposure but do not fully address the underlying vulnerability.",
  "id": "GHSA-3w5p-95mh-gq75",
  "modified": "2026-06-18T13:05:37Z",
  "published": "2026-06-18T13:05:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ncalc/ncalc/security/advisories/GHSA-3w5p-95mh-gq75"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ncalc/ncalc/pull/575"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ncalc/ncalc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…