CVE-2026-25727: time vulnerable to stack exhaustion Denial of Service attack

February 5, 2026

When user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.

References

github.com/advisories/GHSA-r6v5-fh4h-64xc
github.com/time-rs/time
github.com/time-rs/time/commit/f6206b050fd54817d8872834b4d61f605570e89b
github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc
nvd.nist.gov/vuln/detail/CVE-2026-25727

Code Behaviors & Features

Detect and mitigate CVE-2026-25727 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →