Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-5HP8-35WJ-M525

Vulnerability from github – Published: 2021-08-25 20:44 – Updated: 2021-08-19 21:23
VLAI
Summary
Uncontrolled recursion in ammonia
Details

An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ammonia"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-15542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:23:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
  "id": "GHSA-5hp8-35wj-m525",
  "modified": "2021-08-19T21:23:38Z",
  "published": "2021-08-25T20:44:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15542"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rust-ammonia/ammonia"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2019-0001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled recursion in ammonia"
}

GHSA-5JG4-P4QW-CGFR

Vulnerability from github – Published: 2026-04-04 05:33 – Updated: 2026-04-07 14:22
VLAI
Summary
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags
Details

Summary

@stablelib/cbor decodes nested CBOR structures recursively and does not enforce a maximum nesting depth. A sufficiently deep attacker-controlled CBOR payload can therefore crash decoding with RangeError: Maximum call stack size exceeded.

Details

The decoder processes arrays, maps, and tagged values through recursive calls. Each nested container causes another descent into _decodeValue() until a leaf value is reached.

There is no depth limit, no iterative fallback, and no protection against pathological nesting. An attacker can therefore supply a payload made of thousands of nested arrays, maps, or tags and force the decoder to recurse until the JavaScript call stack is exhausted.

PoC

import { decode } from "@stablelib/cbor";

const depth = 12000;
const payload = new Uint8Array(depth + 1);

// Build [[[...[null]...]]]
payload.fill(0x81, 0, depth); // array(1)
payload[depth] = 0xf6;        // null

decode(payload);
// RangeError: Maximum call stack size exceeded

Impact

Any application that decodes attacker-controlled CBOR can be forced into a reliable denial of service with a single crafted payload.

The immediate result is an exception during decoding. In services that do not catch that exception safely, the request fails and the worker or process handling the decode may terminate.

Solution

Upgrade to version 2.0.4. The stack is limited to 128 by default, but can be configured using the maxDepth option. Catch the CBORMaxDepthExceededError exception.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@stablelib/cbor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T05:33:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`@stablelib/cbor` decodes nested CBOR structures recursively and does not enforce a maximum nesting depth. A sufficiently deep attacker-controlled CBOR payload can therefore crash decoding with `RangeError: Maximum call stack size exceeded`.\n\n### Details\n\nThe decoder processes arrays, maps, and tagged values through recursive calls. Each nested container causes another descent into `_decodeValue()` until a leaf value is reached.\n\nThere is no depth limit, no iterative fallback, and no protection against pathological nesting. An attacker can therefore supply a payload made of thousands of nested arrays, maps, or tags and force the decoder to recurse until the JavaScript call stack is exhausted.\n\n### PoC\n\n```js\nimport { decode } from \"@stablelib/cbor\";\n\nconst depth = 12000;\nconst payload = new Uint8Array(depth + 1);\n\n// Build [[[...[null]...]]]\npayload.fill(0x81, 0, depth); // array(1)\npayload[depth] = 0xf6;        // null\n\ndecode(payload);\n// RangeError: Maximum call stack size exceeded\n```\n\n### Impact\n\nAny application that decodes attacker-controlled CBOR can be forced into a reliable denial of service with a single crafted payload.\n\nThe immediate result is an exception during decoding. In services that do not catch that exception safely, the request fails and the worker or process handling the decode may terminate.\n\n\n### Solution\n\nUpgrade to version 2.0.4. The stack is limited to 128 by default, but can be configured using the `maxDepth` option. Catch the `CBORMaxDepthExceededError` exception.",
  "id": "GHSA-5jg4-p4qw-cgfr",
  "modified": "2026-04-07T14:22:35Z",
  "published": "2026-04-04T05:33:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StableLib/stablelib/security/advisories/GHSA-5jg4-p4qw-cgfr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StableLib/stablelib/commit/0149e18d9d4736e22c257744ca945ebce7899a01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StableLib/stablelib"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags"
}

GHSA-5RM8-9376-7GG5

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-20T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.",
  "id": "GHSA-5rm8-9376-7gg5",
  "modified": "2022-05-24T19:02:50Z",
  "published": "2022-05-24T19:02:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27432"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5VR3-7G3C-X85Q

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-08T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc.",
  "id": "GHSA-5vr3-7g3c-x85q",
  "modified": "2022-05-13T01:21:58Z",
  "published": "2022-05-13T01:21:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11026"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/poppler/poppler/issues/752"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5JWQE2WP4W4F2FEYPYJQBPQIOG75MVH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XGYLZZ4DZUDBQEGCNDWSZPSFNNZJF4S6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWWVIYFXM74KJFIDHP4W67HR4FRF2LDE"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/1508"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WFC-HJRC-GQ87

Vulnerability from github – Published: 2023-06-14 15:30 – Updated: 2026-05-20 22:35
VLAI
Summary
hjson stack exhaustion vulnerability
Details

An issue was discovered hjson through 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.hjson:hjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laktak/hjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hjson/hjson-go/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-14T20:38:48Z",
    "nvd_published_at": "2023-06-14T14:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered hjson through 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.",
  "id": "GHSA-5wfc-hjrc-gq87",
  "modified": "2026-05-20T22:35:10Z",
  "published": "2023-06-14T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hjson/hjson-java/issues/24"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hjson/hjson-cpp/pull/54"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hjson/hjson-go/pull/67"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hjson/hjson-php/pull/45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hjson/hjson-go/commit/326599cebc6ef759892f473bf1439b98466a99fa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hjson/hjson-php/commit/2d1b8b4b158a8d841f3a228f267c7cd84fe5a4fa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "hjson stack exhaustion vulnerability"
}

GHSA-5X5Q-8CGM-2HJQ

Vulnerability from github – Published: 2023-03-31 22:44 – Updated: 2025-01-07 15:11
VLAI
Summary
Karate has vulnerable dependency on json-smart package (CVE-2023-1370)
Details

Summary

The CVE image

How to fix it

Very simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.intuit.karate:karate-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.1"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.1"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-31T22:44:09Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nThe CVE \n![image](https://user-images.githubusercontent.com/2663049/229081854-1155c041-56fa-48ca-a7ff-f2f085b845fd.png)\n\n\n### How to fix it\nVery simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)\n",
  "id": "GHSA-5x5q-8cgm-2hjq",
  "modified": "2025-01-07T15:11:49Z",
  "published": "2023-03-31T22:44:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/karatelabs/karate/security/advisories/GHSA-5x5q-8cgm-2hjq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/karatelabs/karate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Karate has vulnerable dependency on json-smart package (CVE-2023-1370)"
}

GHSA-5XM5-V2QV-9J5R

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-12-21 15:30
VLAI
Details

A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in PdfNamesTree::AddToDictionary function in src/podofo/doc/PdfNamesTree.cpp can lead to a stack overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in PdfNamesTree::AddToDictionary function in src/podofo/doc/PdfNamesTree.cpp can lead to a stack overflow.",
  "id": "GHSA-5xm5-v2qv-9j5r",
  "modified": "2022-12-21T15:30:16Z",
  "published": "2022-05-24T19:03:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30471"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947441"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XQW-8HWV-WG92

Vulnerability from github – Published: 2025-04-10 13:48 – Updated: 2025-04-10 13:48
VLAI
Summary
Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow
Details

A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.

Impact

A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow.

Patches

This issue has been resolved in Helm v3.17.3.

Workarounds

Ensure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "helm.sh/helm/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T13:48:31Z",
    "nvd_published_at": "2025-04-09T23:15:37Z",
    "severity": "MODERATE"
  },
  "details": "A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.\n\n### Impact\nA JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. \n\n### Patches\nThis issue has been resolved in Helm v3.17.3.\n\n### Workarounds\nEnsure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.\n\n### For more information\nHelm\u0027s security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.\n\n### Credits\nDisclosed by Jakub Ciolek at AlphaSense.",
  "id": "GHSA-5xqw-8hwv-wg92",
  "modified": "2025-04-10T13:48:31Z",
  "published": "2025-04-10T13:48:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/security/advisories/GHSA-5xqw-8hwv-wg92"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32387"
    },
    {
      "type": "WEB",
      "url": "https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/helm/helm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow"
}

GHSA-62HF-57XW-28J9

Vulnerability from github – Published: 2026-05-05 00:34 – Updated: 2026-06-08 15:54
VLAI
Summary
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Details

Summary

toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.

Details

lib/helpers/toFormData.js:210 defines an inner build(value, path) that recurses into every object/array child (line 225: build(el, path ? path.concat(key) : [key])). The only safeguard is a stack array used to detect circular references; there is no maximum depth and no try/catch around the recursion. Because build calls itself once per nesting level, a payload nested roughly 2000+ levels deep exhausts V8's call stack.

toFormData is the serializer behind FormData request bodies and AxiosURLSearchParams (used by buildURL when params is an object with URLSearchParams unavailable, see lib/helpers/buildURL.js:53 and lib/helpers/AxiosURLSearchParams.js:36). Any server-side code that forwards a client-supplied object into axios({ data, params }) therefore reaches the recursive walker with attacker-controlled depth.

The RangeError is thrown synchronously from inside forEach, escapes toFormData, and propagates out of the axios request call. In typical Express/Fastify request handlers this terminates the running request; in synchronous startup paths or worker threads it can crash the whole process.

PoC

import toFormData from 'axios/lib/helpers/toFormData.js';
import FormData from 'form-data';

function nest(depth) {
  let o = { leaf: 1 };
  for (let i = 0; i < depth; i++) o = { a: o };
  return o;
}

try {
  toFormData(nest(2500), new FormData());
} catch (e) {
  console.log(e.name + ': ' + e.message);
}
// RangeError: Maximum call stack size exceeded

Server-side reachability example:

// vulnerable proxy pattern
app.post('/forward', async (req, res) => {
  await axios.post('https://upstream/api', req.body); // req.body user-controlled
  res.send('ok');
});
// attacker POST /forward with {"a":{"a":{"a":... 2500 deep ...}}}
// -> toFormData build() overflows -> request handler crashes

Verified on axios 1.15.0 (latest, 2026-04-10), Node.js 20, 3/3 PoC runs reproduce the RangeError at depth 2500.

Impact

A remote, unauthenticated attacker who can influence an object passed to axios as request data or params triggers an uncaught RangeError inside the synchronous recursive walker. In server-side applications that proxy or re-send client JSON through axios this crashes the request handler and, in worker/cluster setups, the process. Fix by bounding recursion depth in toFormData's build function (reject or throw on depths beyond a configurable limit, e.g. 100) or rewriting the walker iteratively.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42039"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T00:34:32Z",
    "nvd_published_at": "2026-04-24T18:16:30Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\ntoFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.\n\n### Details\nlib/helpers/toFormData.js:210 defines an inner `build(value, path)` that recurses into every object/array child (line 225: `build(el, path ? path.concat(key) : [key])`). The only safeguard is a `stack` array used to detect circular references; there is no maximum depth and no try/catch around the recursion. Because `build` calls itself once per nesting level, a payload nested roughly 2000+ levels deep exhausts V8\u0027s call stack.\n\n`toFormData` is the serializer behind `FormData` request bodies and `AxiosURLSearchParams` (used by `buildURL` when `params` is an object with `URLSearchParams` unavailable, see `lib/helpers/buildURL.js:53` and `lib/helpers/AxiosURLSearchParams.js:36`). Any server-side code that forwards a client-supplied object into `axios({ data, params })` therefore reaches the recursive walker with attacker-controlled depth.\n\nThe RangeError is thrown synchronously from inside `forEach`, escapes `toFormData`, and propagates out of the axios request call. In typical Express/Fastify request handlers this terminates the running request; in synchronous startup paths or worker threads it can crash the whole process.\n\n### PoC\n```js\nimport toFormData from \u0027axios/lib/helpers/toFormData.js\u0027;\nimport FormData from \u0027form-data\u0027;\n\nfunction nest(depth) {\n  let o = { leaf: 1 };\n  for (let i = 0; i \u003c depth; i++) o = { a: o };\n  return o;\n}\n\ntry {\n  toFormData(nest(2500), new FormData());\n} catch (e) {\n  console.log(e.name + \u0027: \u0027 + e.message);\n}\n// RangeError: Maximum call stack size exceeded\n```\n\nServer-side reachability example:\n```js\n// vulnerable proxy pattern\napp.post(\u0027/forward\u0027, async (req, res) =\u003e {\n  await axios.post(\u0027https://upstream/api\u0027, req.body); // req.body user-controlled\n  res.send(\u0027ok\u0027);\n});\n// attacker POST /forward with {\"a\":{\"a\":{\"a\":... 2500 deep ...}}}\n// -\u003e toFormData build() overflows -\u003e request handler crashes\n```\n\nVerified on axios 1.15.0 (latest, 2026-04-10), Node.js 20, 3/3 PoC runs reproduce the RangeError at depth 2500.\n\n### Impact\nA remote, unauthenticated attacker who can influence an object passed to axios as request `data` or `params` triggers an uncaught RangeError inside the synchronous recursive walker. In server-side applications that proxy or re-send client JSON through axios this crashes the request handler and, in worker/cluster setups, the process. Fix by bounding recursion depth in `toFormData`\u0027s `build` function (reject or throw on depths beyond a configurable limit, e.g. 100) or rewriting the walker iteratively.",
  "id": "GHSA-62hf-57xw-28j9",
  "modified": "2026-06-08T15:54:28Z",
  "published": "2026-05-05T00:34:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/commit/85132ffba1a77609ea5d101c8a413dea7174932f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v1.15.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"
}

GHSA-62QF-JCQ8-8GXW

Vulnerability from github – Published: 2024-04-30 15:30 – Updated: 2024-05-01 11:08
VLAI
Summary
Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references.

Original Description

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sqlparse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-01T11:08:47Z",
    "nvd_published_at": "2024-04-30T15:15:53Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references.\n\n## Original Description\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.",
  "id": "GHSA-62qf-jcq8-8gxw",
  "modified": "2024-05-01T11:08:47Z",
  "published": "2024-04-30T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2m57-hf25-phgg"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service",
  "withdrawn": "2024-05-01T11:08:47Z"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.