CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-5HP8-35WJ-M525
Vulnerability from github – Published: 2021-08-25 20:44 – Updated: 2021-08-19 21:23An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ammonia"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-15542"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:23:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
"id": "GHSA-5hp8-35wj-m525",
"modified": "2021-08-19T21:23:38Z",
"published": "2021-08-25T20:44:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15542"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-ammonia/ammonia"
},
{
"type": "WEB",
"url": "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled recursion in ammonia"
}
GHSA-5JG4-P4QW-CGFR
Vulnerability from github – Published: 2026-04-04 05:33 – Updated: 2026-04-07 14:22Summary
@stablelib/cbor decodes nested CBOR structures recursively and does not enforce a maximum nesting depth. A sufficiently deep attacker-controlled CBOR payload can therefore crash decoding with RangeError: Maximum call stack size exceeded.
Details
The decoder processes arrays, maps, and tagged values through recursive calls. Each nested container causes another descent into _decodeValue() until a leaf value is reached.
There is no depth limit, no iterative fallback, and no protection against pathological nesting. An attacker can therefore supply a payload made of thousands of nested arrays, maps, or tags and force the decoder to recurse until the JavaScript call stack is exhausted.
PoC
import { decode } from "@stablelib/cbor";
const depth = 12000;
const payload = new Uint8Array(depth + 1);
// Build [[[...[null]...]]]
payload.fill(0x81, 0, depth); // array(1)
payload[depth] = 0xf6; // null
decode(payload);
// RangeError: Maximum call stack size exceeded
Impact
Any application that decodes attacker-controlled CBOR can be forced into a reliable denial of service with a single crafted payload.
The immediate result is an exception during decoding. In services that do not catch that exception safely, the request fails and the worker or process handling the decode may terminate.
Solution
Upgrade to version 2.0.4. The stack is limited to 128 by default, but can be configured using the maxDepth option. Catch the CBORMaxDepthExceededError exception.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@stablelib/cbor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T05:33:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`@stablelib/cbor` decodes nested CBOR structures recursively and does not enforce a maximum nesting depth. A sufficiently deep attacker-controlled CBOR payload can therefore crash decoding with `RangeError: Maximum call stack size exceeded`.\n\n### Details\n\nThe decoder processes arrays, maps, and tagged values through recursive calls. Each nested container causes another descent into `_decodeValue()` until a leaf value is reached.\n\nThere is no depth limit, no iterative fallback, and no protection against pathological nesting. An attacker can therefore supply a payload made of thousands of nested arrays, maps, or tags and force the decoder to recurse until the JavaScript call stack is exhausted.\n\n### PoC\n\n```js\nimport { decode } from \"@stablelib/cbor\";\n\nconst depth = 12000;\nconst payload = new Uint8Array(depth + 1);\n\n// Build [[[...[null]...]]]\npayload.fill(0x81, 0, depth); // array(1)\npayload[depth] = 0xf6; // null\n\ndecode(payload);\n// RangeError: Maximum call stack size exceeded\n```\n\n### Impact\n\nAny application that decodes attacker-controlled CBOR can be forced into a reliable denial of service with a single crafted payload.\n\nThe immediate result is an exception during decoding. In services that do not catch that exception safely, the request fails and the worker or process handling the decode may terminate.\n\n\n### Solution\n\nUpgrade to version 2.0.4. The stack is limited to 128 by default, but can be configured using the `maxDepth` option. Catch the `CBORMaxDepthExceededError` exception.",
"id": "GHSA-5jg4-p4qw-cgfr",
"modified": "2026-04-07T14:22:35Z",
"published": "2026-04-04T05:33:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/StableLib/stablelib/security/advisories/GHSA-5jg4-p4qw-cgfr"
},
{
"type": "WEB",
"url": "https://github.com/StableLib/stablelib/commit/0149e18d9d4736e22c257744ca945ebce7899a01"
},
{
"type": "PACKAGE",
"url": "https://github.com/StableLib/stablelib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags"
}
GHSA-5RM8-9376-7GG5
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.
{
"affected": [],
"aliases": [
"CVE-2021-27432"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-20T16:15:00Z",
"severity": "HIGH"
},
"details": "OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC UA .NET Legacy are vulnerable to an uncontrolled recursion, which may allow an attacker to trigger a stack overflow.",
"id": "GHSA-5rm8-9376-7gg5",
"modified": "2022-05-24T19:02:50Z",
"published": "2022-05-24T19:02:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27432"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5VR3-7G3C-X85Q
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc.
{
"affected": [],
"aliases": [
"CVE-2019-11026"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-08T23:29:00Z",
"severity": "MODERATE"
},
"details": "FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc.",
"id": "GHSA-5vr3-7g3c-x85q",
"modified": "2022-05-13T01:21:58Z",
"published": "2022-05-13T01:21:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11026"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/poppler/poppler/issues/752"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5JWQE2WP4W4F2FEYPYJQBPQIOG75MVH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XGYLZZ4DZUDBQEGCNDWSZPSFNNZJF4S6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWWVIYFXM74KJFIDHP4W67HR4FRF2LDE"
},
{
"type": "WEB",
"url": "https://research.loginsoft.com/bugs/1508"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WFC-HJRC-GQ87
Vulnerability from github – Published: 2023-06-14 15:30 – Updated: 2026-05-20 22:35An issue was discovered hjson through 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.hjson:hjson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "laktak/hjson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hjson/hjson-go/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-34620"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-14T20:38:48Z",
"nvd_published_at": "2023-06-14T14:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered hjson through 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.",
"id": "GHSA-5wfc-hjrc-gq87",
"modified": "2026-05-20T22:35:10Z",
"published": "2023-06-14T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34620"
},
{
"type": "WEB",
"url": "https://github.com/hjson/hjson-java/issues/24"
},
{
"type": "WEB",
"url": "https://github.com/hjson/hjson-cpp/pull/54"
},
{
"type": "WEB",
"url": "https://github.com/hjson/hjson-go/pull/67"
},
{
"type": "WEB",
"url": "https://github.com/hjson/hjson-php/pull/45"
},
{
"type": "WEB",
"url": "https://github.com/hjson/hjson-go/commit/326599cebc6ef759892f473bf1439b98466a99fa"
},
{
"type": "WEB",
"url": "https://github.com/hjson/hjson-php/commit/2d1b8b4b158a8d841f3a228f267c7cd84fe5a4fa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "hjson stack exhaustion vulnerability"
}
GHSA-5X5Q-8CGM-2HJQ
Vulnerability from github – Published: 2023-03-31 22:44 – Updated: 2025-01-07 15:11Summary
The CVE

How to fix it
Very simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.intuit.karate:karate-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.1"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.1"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-31T22:44:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe CVE \n\n\n\n### How to fix it\nVery simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)\n",
"id": "GHSA-5x5q-8cgm-2hjq",
"modified": "2025-01-07T15:11:49Z",
"published": "2023-03-31T22:44:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/karatelabs/karate/security/advisories/GHSA-5x5q-8cgm-2hjq"
},
{
"type": "WEB",
"url": "https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
},
{
"type": "PACKAGE",
"url": "https://github.com/karatelabs/karate"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Karate has vulnerable dependency on json-smart package (CVE-2023-1370)"
}
GHSA-5XM5-V2QV-9J5R
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-12-21 15:30A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in PdfNamesTree::AddToDictionary function in src/podofo/doc/PdfNamesTree.cpp can lead to a stack overflow.
{
"affected": [],
"aliases": [
"CVE-2021-30471"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-26T22:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in PdfNamesTree::AddToDictionary function in src/podofo/doc/PdfNamesTree.cpp can lead to a stack overflow.",
"id": "GHSA-5xm5-v2qv-9j5r",
"modified": "2022-12-21T15:30:16Z",
"published": "2022-05-24T19:03:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30471"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947441"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XQW-8HWV-WG92
Vulnerability from github – Published: 2025-04-10 13:48 – Updated: 2025-04-10 13:48A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.
Impact
A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow.
Patches
This issue has been resolved in Helm v3.17.3.
Workarounds
Ensure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.
For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "helm.sh/helm/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.17.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32387"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-10T13:48:31Z",
"nvd_published_at": "2025-04-09T23:15:37Z",
"severity": "MODERATE"
},
"details": "A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.\n\n### Impact\nA JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. \n\n### Patches\nThis issue has been resolved in Helm v3.17.3.\n\n### Workarounds\nEnsure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.\n\n### For more information\nHelm\u0027s security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.\n\n### Credits\nDisclosed by Jakub Ciolek at AlphaSense.",
"id": "GHSA-5xqw-8hwv-wg92",
"modified": "2025-04-10T13:48:31Z",
"published": "2025-04-10T13:48:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/helm/helm/security/advisories/GHSA-5xqw-8hwv-wg92"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32387"
},
{
"type": "WEB",
"url": "https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7"
},
{
"type": "PACKAGE",
"url": "https://github.com/helm/helm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow"
}
GHSA-62HF-57XW-28J9
Vulnerability from github – Published: 2026-05-05 00:34 – Updated: 2026-06-08 15:54Summary
toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.
Details
lib/helpers/toFormData.js:210 defines an inner build(value, path) that recurses into every object/array child (line 225: build(el, path ? path.concat(key) : [key])). The only safeguard is a stack array used to detect circular references; there is no maximum depth and no try/catch around the recursion. Because build calls itself once per nesting level, a payload nested roughly 2000+ levels deep exhausts V8's call stack.
toFormData is the serializer behind FormData request bodies and AxiosURLSearchParams (used by buildURL when params is an object with URLSearchParams unavailable, see lib/helpers/buildURL.js:53 and lib/helpers/AxiosURLSearchParams.js:36). Any server-side code that forwards a client-supplied object into axios({ data, params }) therefore reaches the recursive walker with attacker-controlled depth.
The RangeError is thrown synchronously from inside forEach, escapes toFormData, and propagates out of the axios request call. In typical Express/Fastify request handlers this terminates the running request; in synchronous startup paths or worker threads it can crash the whole process.
PoC
import toFormData from 'axios/lib/helpers/toFormData.js';
import FormData from 'form-data';
function nest(depth) {
let o = { leaf: 1 };
for (let i = 0; i < depth; i++) o = { a: o };
return o;
}
try {
toFormData(nest(2500), new FormData());
} catch (e) {
console.log(e.name + ': ' + e.message);
}
// RangeError: Maximum call stack size exceeded
Server-side reachability example:
// vulnerable proxy pattern
app.post('/forward', async (req, res) => {
await axios.post('https://upstream/api', req.body); // req.body user-controlled
res.send('ok');
});
// attacker POST /forward with {"a":{"a":{"a":... 2500 deep ...}}}
// -> toFormData build() overflows -> request handler crashes
Verified on axios 1.15.0 (latest, 2026-04-10), Node.js 20, 3/3 PoC runs reproduce the RangeError at depth 2500.
Impact
A remote, unauthenticated attacker who can influence an object passed to axios as request data or params triggers an uncaught RangeError inside the synchronous recursive walker. In server-side applications that proxy or re-send client JSON through axios this crashes the request handler and, in worker/cluster setups, the process. Fix by bounding recursion depth in toFormData's build function (reject or throw on depths beyond a configurable limit, e.g. 100) or rewriting the walker iteratively.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.15.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.31.0"
},
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42039"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T00:34:32Z",
"nvd_published_at": "2026-04-24T18:16:30Z",
"severity": "MODERATE"
},
"details": "### Summary\ntoFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.\n\n### Details\nlib/helpers/toFormData.js:210 defines an inner `build(value, path)` that recurses into every object/array child (line 225: `build(el, path ? path.concat(key) : [key])`). The only safeguard is a `stack` array used to detect circular references; there is no maximum depth and no try/catch around the recursion. Because `build` calls itself once per nesting level, a payload nested roughly 2000+ levels deep exhausts V8\u0027s call stack.\n\n`toFormData` is the serializer behind `FormData` request bodies and `AxiosURLSearchParams` (used by `buildURL` when `params` is an object with `URLSearchParams` unavailable, see `lib/helpers/buildURL.js:53` and `lib/helpers/AxiosURLSearchParams.js:36`). Any server-side code that forwards a client-supplied object into `axios({ data, params })` therefore reaches the recursive walker with attacker-controlled depth.\n\nThe RangeError is thrown synchronously from inside `forEach`, escapes `toFormData`, and propagates out of the axios request call. In typical Express/Fastify request handlers this terminates the running request; in synchronous startup paths or worker threads it can crash the whole process.\n\n### PoC\n```js\nimport toFormData from \u0027axios/lib/helpers/toFormData.js\u0027;\nimport FormData from \u0027form-data\u0027;\n\nfunction nest(depth) {\n let o = { leaf: 1 };\n for (let i = 0; i \u003c depth; i++) o = { a: o };\n return o;\n}\n\ntry {\n toFormData(nest(2500), new FormData());\n} catch (e) {\n console.log(e.name + \u0027: \u0027 + e.message);\n}\n// RangeError: Maximum call stack size exceeded\n```\n\nServer-side reachability example:\n```js\n// vulnerable proxy pattern\napp.post(\u0027/forward\u0027, async (req, res) =\u003e {\n await axios.post(\u0027https://upstream/api\u0027, req.body); // req.body user-controlled\n res.send(\u0027ok\u0027);\n});\n// attacker POST /forward with {\"a\":{\"a\":{\"a\":... 2500 deep ...}}}\n// -\u003e toFormData build() overflows -\u003e request handler crashes\n```\n\nVerified on axios 1.15.0 (latest, 2026-04-10), Node.js 20, 3/3 PoC runs reproduce the RangeError at depth 2500.\n\n### Impact\nA remote, unauthenticated attacker who can influence an object passed to axios as request `data` or `params` triggers an uncaught RangeError inside the synchronous recursive walker. In server-side applications that proxy or re-send client JSON through axios this crashes the request handler and, in worker/cluster setups, the process. Fix by bounding recursion depth in `toFormData`\u0027s `build` function (reject or throw on depths beyond a configurable limit, e.g. 100) or rewriting the walker iteratively.",
"id": "GHSA-62hf-57xw-28j9",
"modified": "2026-06-08T15:54:28Z",
"published": "2026-05-05T00:34:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/85132ffba1a77609ea5d101c8a413dea7174932f"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v1.15.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"
}
GHSA-62QF-JCQ8-8GXW
Vulnerability from github – Published: 2024-04-30 15:30 – Updated: 2024-05-01 11:08Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references.
Original Description
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sqlparse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-01T11:08:47Z",
"nvd_published_at": "2024-04-30T15:15:53Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references.\n\n## Original Description\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.",
"id": "GHSA-62qf-jcq8-8gxw",
"modified": "2024-05-01T11:08:47Z",
"published": "2024-04-30T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340"
},
{
"type": "WEB",
"url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2m57-hf25-phgg"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service",
"withdrawn": "2024-05-01T11:08:47Z"
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.