aardappel Lobster Uncontrolled Recursion Vulnerability in TypeName Function

A stack overflow vulnerability due to uncontrolled recursion has been identified in aardappel Lobster versions through 2025.4. The issue arises in the TypeName function within the file dev/src/lobster/idents.h. This vulnerability can be exploited locally, leading to a crash of the Lobster compiler. The problem has been publicly disclosed and can be reproduced by building Lobster with release optimization and AddressSanitizer enabled, then running the compiler with a specific input file that triggers the recursion.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a crash of the Lobster compiler. This behavior is consistent with the characteristics of uncontrolled recursion, where the lack of proper limits on recursive function calls consumes excessive stack space, ultimately causing the program to run out of resources and fail.

Reproduction

To reproduce this vulnerability, build Lobster with release optimization and AddressSanitizer enabled. After building the compiler, run it with the input file 'repro.lobster', which is available in the oneafter/0204 repository on GitHub. The AddressSanitizer will report a stack overflow error, indicating that the recursion issue has been successfully triggered.

Remediation

Upgrading to Lobster version 2026.1 addresses this vulnerability. The updated version can be downloaded from the Lobster GitHub releases page.