CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
CVE-2018-25282 (GCVE-0-2018-25282)
Vulnerability from cvelistv5 – Published: 2026-04-26 13:19 – Updated: 2026-04-27 14:04- CWE-674 - Uncontrolled Recursion
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/45357 | exploit |
| https://nmap.org/dist/nmap-7.70-setup.exe | product |
| https://www.vulncheck.com/advisories/nmap-denial-… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25282",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T14:04:28.643420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T14:04:40.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ZenMap",
"vendor": "ZenMap",
"versions": [
{
"status": "affected",
"version": "7.70"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gionathan \"John\" Reale"
}
],
"datePublic": "2018-09-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Attackers can create a crafted XML file with nested entity definitions and open it through ZenMap\u0027s scan import functionality to cause the program to consume excessive system resources and crash."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-26T13:19:14.211Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-45357",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/45357"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://nmap.org/dist/nmap-7.70-setup.exe"
},
{
"name": "VulnCheck Advisory: Nmap 7.70 Denial of Service via XML Entity Expansion",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/nmap-denial-of-service-via-xml-entity-expansion"
}
],
"title": "Nmap 7.70 Denial of Service via XML Entity Expansion",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25282",
"datePublished": "2026-04-26T13:19:14.211Z",
"dateReserved": "2026-04-26T13:02:34.328Z",
"dateUpdated": "2026-04-27T14:04:40.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2017-7515 (GCVE-0-2017-7515)
Vulnerability from cvelistv5 – Published: 2017-06-06 14:00 – Updated: 2024-08-05 16:04| URL | Tags |
|---|---|
| https://bugs.freedesktop.org/show_bug.cgi?id=101208 | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat, Inc. | poppler |
Affected:
through 0.55.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.824Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.freedesktop.org/show_bug.cgi?id=101208"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "poppler",
"vendor": "Red Hat, Inc.",
"versions": [
{
"status": "affected",
"version": "through 0.55.0"
}
]
}
],
"datePublic": "2017-05-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential denial-of-service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-06T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.freedesktop.org/show_bug.cgi?id=101208"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7515",
"datePublished": "2017-06-06T14:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-0886 (GCVE-0-2017-0886)
Vulnerability from cvelistv5 – Published: 2017-04-05 20:00 – Updated: 2024-08-05 13:18- CWE-674 - Uncontrolled Recursion (CWE-674)
| URL | Tags |
|---|---|
| https://nextcloud.com/security/advisory/?id=nc-sa… | x_refsource_CONFIRM |
| https://hackerone.com/reports/174524 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Nextcloud | Nextcloud Server |
Affected:
All versions before 9.0.55 and 10.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:18:06.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-004"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/174524"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server",
"vendor": "Nextcloud",
"versions": [
{
"status": "affected",
"version": "All versions before 9.0.55 and 10.0.2"
}
]
}
],
"datePublic": "2017-02-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "Uncontrolled Recursion (CWE-674)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-05T19:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-004"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/174524"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2017-0886",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server",
"version": {
"version_data": [
{
"version_value": "All versions before 9.0.55 and 10.0.2"
}
]
}
}
]
},
"vendor_name": "Nextcloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Uncontrolled Recursion (CWE-674)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-004",
"refsource": "CONFIRM",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-004"
},
{
"name": "https://hackerone.com/reports/174524",
"refsource": "MISC",
"url": "https://hackerone.com/reports/174524"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0886",
"datePublished": "2017-04-05T20:00:00.000Z",
"dateReserved": "2016-11-30T00:00:00.000Z",
"dateUpdated": "2024-08-05T13:18:06.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9597 (GCVE-0-2016-9597)
Vulnerability from cvelistv5 – Published: 2018-07-30 14:00 – Updated: 2024-08-06 02:59| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/98567 | vdb-entryx_refsource_BID |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:59:03.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "98567",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98567"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9597"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libxml2",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2016-12-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-31T09:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "98567",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98567"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9597"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-9597",
"datePublished": "2018-07-30T14:00:00.000Z",
"dateReserved": "2016-11-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T02:59:03.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-22P3-QRH9-CX32
Vulnerability from github – Published: 2022-06-29 21:51 – Updated: 2024-09-30 20:29Impact
URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether.
It is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for. Remote users are not able to exploit this directly, because the URL preview endpoint is authenticated.
Am I affected?
- deployments with
url_preview_enabled: falseset in configuration are not affected. - deployments with
url_preview_enabled: trueset in configuration are affected. - deployments with no configuration value set for
url_preview_enabledare not affected, because the default isfalse.
Patches
Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher.
Workarounds
- URL previews can be disabled in the configuration file by setting
url_preview_enabled: false. - Deployments using workers can choose to offload URL previews to one or more dedicated worker(s), ensuring that a process crash does not disrupt other functionality of Synapse.
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "matrix-synapse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.61.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31052"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-29T21:51:23Z",
"nvd_published_at": "2022-06-28T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nURL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion.\nThis is sometimes recoverable and leads to an error for the request causing the problem, but in other cases the Synapse process may crash altogether.\n\nIt is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user\u0027s client may automatically request a URL preview for.\nRemote users are not able to exploit this directly, because [the URL preview endpoint is authenticated](https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url).\n\n### Am I affected?\n\n* deployments with `url_preview_enabled: false` set in configuration are not affected.\n* deployments with `url_preview_enabled: true` set in configuration **are** affected.\n* deployments with no configuration value set for `url_preview_enabled` are not affected, because the default is `false`.\n\n### Patches\n\nAdministrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher.\n\n### Workarounds\n\n* URL previews can be disabled in the configuration file by setting `url_preview_enabled: false`.\n* Deployments using workers can choose to offload URL previews to one or more dedicated worker(s), ensuring that a process crash does not disrupt other functionality of Synapse.\n\n### For more information\n\nIf you have any questions or comments about this advisory, e-mail us at [security@matrix.org](mailto:security@matrix.org).\n",
"id": "GHSA-22p3-qrh9-cx32",
"modified": "2024-09-30T20:29:11Z",
"published": "2022-06-29T21:51:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31052"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/synapse"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2022-224.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7EARKKJZ2W7WUITFDT4EG4NVATFYJQHF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGSDQ4YAITCUACAB7SXQZDJIU3IQ4CJD"
},
{
"type": "WEB",
"url": "https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "URL previews of unusual or maliciously-crafted pages can crash Synapse media repositories or Synapse monoliths"
}
GHSA-23H9-M55M-C5JP
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2023-10-25 23:16Jenkins Token Macro Plugin recursively applied token expansion.
This could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.
Most tokens have been changed to no longer recursively apply token expansion.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:token-macro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-1003011"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-25T23:16:02Z",
"nvd_published_at": "2019-02-06T16:29:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Token Macro Plugin recursively applied token expansion.\n\nThis could be used by users able to affect input to token expansion (such as change log messages), to inject additional tokens into the input, which would then be expanded, resulting in information disclosure (for example values of environment variables), or denial of service.\n\nMost tokens have been changed to no longer recursively apply token expansion.",
"id": "GHSA-23h9-m55m-c5jp",
"modified": "2023-10-25T23:16:02Z",
"published": "2022-05-13T01:15:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1003011"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/token-macro-plugin/commit/70163600031ea8d43833e6eea928f8fa2e44f96a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:0326"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:0327"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1102"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Token Macro Plugin\u0027s recursive token expansion results in information disclosure and DoS"
}
GHSA-23X2-XQXM-PXWJ
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-08-22 00:00libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.
{
"affected": [],
"aliases": [
"CVE-2020-12825"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.",
"id": "GHSA-23x2-xqxm-pxwj",
"modified": "2022-08-22T00:00:58Z",
"published": "2022-05-24T17:17:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12825"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libcroco/-/issues/8"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-33"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/08/13/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/09/08/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-247X-2F9F-5WP7
Vulnerability from github – Published: 2022-02-09 23:30 – Updated: 2024-11-13 22:14Impact
The GraphDef format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a GraphDef containing a fragment such as the following can be consumed when loading a SavedModel:
library {
function {
signature {
name: "SomeOp"
description: "Self recursive op"
}
node_def {
name: "1"
op: "SomeOp"
}
node_def {
name: "2"
op: "SomeOp"
}
}
}
This would result in a stack overflow during execution as resolving each NodeDef means resolving the function itself and its nodes.
Patches
We have patched the issue in GitHub commit 448a16182065bd08a202d9057dd8ca541e67996c.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-23591"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-04T18:23:58Z",
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when loading a `SavedModel`:\n\n```\n library {\n function {\n signature {\n name: \"SomeOp\"\n description: \"Self recursive op\"\n }\n node_def {\n name: \"1\"\n op: \"SomeOp\"\n }\n node_def {\n name: \"2\"\n op: \"SomeOp\"\n }\n }\n } \n```\n\nThis would result in a stack overflow during execution as resolving each `NodeDef` means resolving the function itself and its nodes.\n\n### Patches\nWe have patched the issue in GitHub commit [448a16182065bd08a202d9057dd8ca541e67996c](https://github.com/tensorflow/tensorflow/commit/448a16182065bd08a202d9057dd8ca541e67996c).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-247x-2f9f-5wp7",
"modified": "2024-11-13T22:14:32Z",
"published": "2022-02-09T23:30:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-247x-2f9f-5wp7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23591"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/448a16182065bd08a202d9057dd8ca541e67996c"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-100.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-155.yaml"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Stack overflow in TensorFlow"
}
GHSA-24F8-4R56-7793
Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2025-04-20 03:38libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304.
{
"affected": [],
"aliases": [
"CVE-2017-9438"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-05T17:29:00Z",
"severity": "HIGH"
},
"details": "libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304.",
"id": "GHSA-24f8-4r56-7793",
"modified": "2025-04-20T03:38:30Z",
"published": "2022-05-13T01:10:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9438"
},
{
"type": "WEB",
"url": "https://github.com/VirusTotal/yara/issues/674"
},
{
"type": "WEB",
"url": "https://github.com/VirusTotal/yara/commit/10e8bd3071677dd1fa76beeef4bc2fc427cea5e7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKNXSH5ERG6NELTXCYVJLUPJJJ2TNEBD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXM224OLGI6KAOROLDPPGGCZ2OQVQ6HH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKNXSH5ERG6NELTXCYVJLUPJJJ2TNEBD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXM224OLGI6KAOROLDPPGGCZ2OQVQ6HH"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-24WQ-6X4V-Q3FV
Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-07-08 06:31In the Linux kernel, the following vulnerability has been resolved:
arm64: Reserve an extra page for early kernel mapping
The final part of [data, end) segment may overflow into the next page of init_pg_end[1] which is the gap page before early_init_stack[2]:
[1] crash_arm64_v9.0.1> vtop ffffffed00601000 VIRTUAL PHYSICAL ffffffed00601000 83401000
PAGE DIRECTORY: ffffffecffd62000 PGD: ffffffecffd62da0 => 10000000833fb003 PMD: ffffff80033fb018 => 10000000833fe003 PTE: ffffff80033fe008 => 68000083401f03 PAGE: 83401000
PTE PHYSICAL FLAGS
68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)
PAGE PHYSICAL MAPPING INDEX CNT FLAGS
fffffffec00d0040 83401000 0 0 1 4000 reserved
[2] ffffffed002c8000 (r) __pi__data ffffffed0054e000 (d) __pibssstart ffffffed005f5000 (b) pi_init_pg_dir ffffffed005fe000 (b) __pi_init_pg_end ffffffed005ff000 (B) early_init_stack ffffffed00608000 (b) __pi__end
For 4K pages, the early kernel mapping may use 2MB block entries but the kernel segments are only 64KB aligned. Segment boundaries that fall within a 2MB block therefore require a PTE table so that different attributes can be applied on either side of the boundary.
KERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel VMAs registered by declare_kernel_vmas(). However, since commit 5973a62efa34 ("arm64: map [_text, _stext) virtual address range non-executable+read-only"), the early mapper also maps [_text, _stext) separately from [_stext, _etext). This adds one more early-only split and can require one more page-table page than the existing EARLY_SEGMENT_EXTRA_PAGES allowance reserves.
Increase the 4K-page early mapping allowance by one page to cover that additional split.
[catalin.marinas@arm.com: rewrote part of the commit log] [catalin.marinas@arm.com: expanded the code comment]
{
"affected": [],
"aliases": [
"CVE-2026-53288"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T20:17:21Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Reserve an extra page for early kernel mapping\n\nThe final part of [data, end) segment may overflow into the next page of\ninit_pg_end[1] which is the gap page before early_init_stack[2]:\n\n[1]\ncrash_arm64_v9.0.1\u003e vtop ffffffed00601000\nVIRTUAL PHYSICAL\nffffffed00601000 83401000\n\nPAGE DIRECTORY: ffffffecffd62000\n PGD: ffffffecffd62da0 =\u003e 10000000833fb003\n PMD: ffffff80033fb018 =\u003e 10000000833fe003\n PTE: ffffff80033fe008 =\u003e 68000083401f03\n PAGE: 83401000\n\n PTE PHYSICAL FLAGS\n68000083401f03 83401000 (VALID|SHARED|AF|NG|PXN|UXN)\n\n PAGE PHYSICAL MAPPING INDEX CNT FLAGS\nfffffffec00d0040 83401000 0 0 1 4000 reserved\n\n[2]\nffffffed002c8000 (r) __pi__data\nffffffed0054e000 (d) __pi___bss_start\nffffffed005f5000 (b) __pi_init_pg_dir\nffffffed005fe000 (b) __pi_init_pg_end\nffffffed005ff000 (B) early_init_stack\nffffffed00608000 (b) __pi__end\n\nFor 4K pages, the early kernel mapping may use 2MB block entries but the\nkernel segments are only 64KB aligned. Segment boundaries that fall\nwithin a 2MB block therefore require a PTE table so that different\nattributes can be applied on either side of the boundary.\n\nKERNEL_SEGMENT_COUNT still correctly counts the five permanent kernel\nVMAs registered by declare_kernel_vmas(). However, since commit\n5973a62efa34 (\"arm64: map [_text, _stext) virtual address range\nnon-executable+read-only\"), the early mapper also maps [_text, _stext)\nseparately from [_stext, _etext). This adds one more early-only split\nand can require one more page-table page than the existing\nEARLY_SEGMENT_EXTRA_PAGES allowance reserves.\n\nIncrease the 4K-page early mapping allowance by one page to cover that\nadditional split.\n\n[catalin.marinas@arm.com: rewrote part of the commit log]\n[catalin.marinas@arm.com: expanded the code comment]",
"id": "GHSA-24wq-6x4v-q3fv",
"modified": "2026-07-08T06:31:35Z",
"published": "2026-06-26T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53288"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d8e74ad4585672489da6145b3328d415f50db82"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9fe9e3acaa14921b0cf0d6cc2de5b562499bf721"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4ff33053da0a34b14abb5c96dc5a48379e26fce"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dcb89deed40ba55ff7020061712fdabf098cc2cc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.