CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-RV9V-R4VM-GJ8X
Vulnerability from github – Published: 2024-08-19 03:30 – Updated: 2024-09-09 18:20The Miniscript (aka rust-miniscript) library for Rust allows stack consumption because it does not properly track tree depth.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "miniscript"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "miniscript"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "miniscript"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "miniscript"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-44073"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-770",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-19T18:25:09Z",
"nvd_published_at": "2024-08-19T03:15:03Z",
"severity": "MODERATE"
},
"details": "The Miniscript (aka rust-miniscript) library for Rust allows stack consumption because it does not properly track tree depth.",
"id": "GHSA-rv9v-r4vm-gj8x",
"modified": "2024-09-09T18:20:53Z",
"published": "2024-08-19T03:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44073"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/pull/704"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/pull/712"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/pull/712/files"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/pull/713/files"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/pull/714/files"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/pull/715/files"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/commit/5b0f5e3417f027a22b066debf825dbe6644b575b"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/commit/8f54b5e3fb7129ed9fbed53f1cb9e6e62ea4c151"
},
{
"type": "WEB",
"url": "https://github.com/rust-bitcoin/rust-miniscript/compare/11.2.0...12.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Miniscript allows stack consumption"
}
GHSA-RVHP-MGHQ-8MVW
Vulnerability from github – Published: 2026-02-14 00:32 – Updated: 2026-02-18 15:31A Denial of Service (DoS) vulnerability was discovered in the TON Lite Server before v2024.09. The vulnerability arises from the handling of external arguments passed to locally executed "get methods." An attacker can inject a constructed Continuation object (an internal TVM type) that is normally restricted within the VM. When the TVM executes this malicious continuation, it consumes excessive CPU resources while accruing disproportionately low virtual gas costs. This "free" computation allows an attacker to monopolize the Lite Server's processing power, significantly reducing its throughput and causing a denial of service for legitimate users acting through the gateway.
{
"affected": [],
"aliases": [
"CVE-2025-70957"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-13T22:16:10Z",
"severity": "HIGH"
},
"details": "A Denial of Service (DoS) vulnerability was discovered in the TON Lite Server before v2024.09. The vulnerability arises from the handling of external arguments passed to locally executed \"get methods.\" An attacker can inject a constructed Continuation object (an internal TVM type) that is normally restricted within the VM. When the TVM executes this malicious continuation, it consumes excessive CPU resources while accruing disproportionately low virtual gas costs. This \"free\" computation allows an attacker to monopolize the Lite Server\u0027s processing power, significantly reducing its throughput and causing a denial of service for legitimate users acting through the gateway.",
"id": "GHSA-rvhp-mghq-8mvw",
"modified": "2026-02-18T15:31:24Z",
"published": "2026-02-14T00:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70957"
},
{
"type": "WEB",
"url": "https://github.com/ton-blockchain/ton/commit/e35b34de22109596a54d1357dcce92d63002ba95"
},
{
"type": "WEB",
"url": "https://gist.github.com/Lucian-code233/d2589ece39914195c0e307b4dee32185"
},
{
"type": "WEB",
"url": "https://mp.weixin.qq.com/s/KT4RKNey_mjU2kBWpGTjuw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVV3-G6HJ-G44X
Vulnerability from github – Published: 2026-03-13 20:57 – Updated: 2026-03-25 18:53Summary
AutoMapper is vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a StackOverflowException and causing the entire application process to terminate.
Description
The vulnerability exists in the core mapping engine. When a source object contains a property of the same type (or a type that eventually points back to itself), AutoMapper recursively attempts to map each level.
Because there is no default limit on how many levels deep this recursion can go, a sufficiently nested object (approximately 25,000+ levels in standard .NET environments) will exceed the stack size. Since StackOverflowException cannot be caught in modern .NET runtimes, the application cannot recover and will crash immediately.
Impact
- Availability: An attacker can crash the application server, leading to a complete Denial of Service.
- Process Termination: Unlike standard exceptions, this terminates the entire process, not just the individual request thread.
Proof of Concept (PoC)
The following C# code demonstrates the crash by creating a nested "Circular" object graph and attempting to map it:
class Circular { public Circular Self { get; set; } }
// Setup configuration
var config = new MapperConfiguration(cfg => {
cfg.CreateMap<Circular, Circular>();
});
var mapper = config.CreateMapper();
// Create a deeply nested object (28,000+ levels)
var root = new Circular();
var current = root;
for (int i = 0; i < 30000; i++) {
current.Self = new Circular();
current = current.Self;
}
// This call triggers the StackOverflowException and crashes the process
mapper.Map<Circular>(root);
Recommended Mitigation
- Secure Defaults: Implement a default
MaxDepth(e.g., 32 or 64) for all mapping operations. - Configurable Limit: Allow users to increase this limit if necessary, but ensure it is enabled by default to protect unsuspecting developers.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "AutoMapper"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "AutoMapper"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "15.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32933"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:57:07Z",
"nvd_published_at": "2026-03-20T03:16:00Z",
"severity": "HIGH"
},
"details": "### Summary\n\nAutoMapper is vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread\u0027s stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate.\n\n### Description\n\nThe vulnerability exists in the core mapping engine. When a source object contains a property of the same type (or a type that eventually points back to itself), AutoMapper recursively attempts to map each level.\n\nBecause there is no default limit on how many levels deep this recursion can go, a sufficiently nested object (approximately 25,000+ levels in standard .NET environments) will exceed the stack size. Since `StackOverflowException` cannot be caught in modern .NET runtimes, the application cannot recover and will crash immediately.\n\n### Impact\n\n* **Availability:** An attacker can crash the application server, leading to a complete Denial of Service.\n* **Process Termination:** Unlike standard exceptions, this terminates the entire process, not just the individual request thread.\n\n### Proof of Concept (PoC)\n\nThe following C# code demonstrates the crash by creating a nested \"Circular\" object graph and attempting to map it:\n\n```csharp\nclass Circular { public Circular Self { get; set; } }\n\n// Setup configuration\nvar config = new MapperConfiguration(cfg =\u003e {\n cfg.CreateMap\u003cCircular, Circular\u003e();\n});\nvar mapper = config.CreateMapper();\n\n// Create a deeply nested object (28,000+ levels)\nvar root = new Circular();\nvar current = root;\nfor (int i = 0; i \u003c 30000; i++) {\n current.Self = new Circular();\n current = current.Self;\n}\n\n// This call triggers the StackOverflowException and crashes the process\nmapper.Map\u003cCircular\u003e(root);\n\n```\n\n### Recommended Mitigation\n\n1. **Secure Defaults:** Implement a default `MaxDepth` (e.g., 32 or 64) for all mapping operations.\n2. **Configurable Limit:** Allow users to increase this limit if necessary, but ensure it is enabled by default to protect unsuspecting developers.",
"id": "GHSA-rvv3-g6hj-g44x",
"modified": "2026-03-25T18:53:07Z",
"published": "2026-03-13T20:57:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32933"
},
{
"type": "WEB",
"url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816"
},
{
"type": "PACKAGE",
"url": "https://github.com/LuckyPennySoftware/AutoMapper"
},
{
"type": "WEB",
"url": "https://github.com/LuckyPennySoftware/AutoMapper/discussions/4624"
},
{
"type": "WEB",
"url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1"
},
{
"type": "WEB",
"url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion"
}
GHSA-RX25-RPPP-X99W
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix recvmsg() unconditional requeue
If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call - whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it.
The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns.
Fix this by only requeuing the call if it isn't already on the queue - and moving it to the front if it is already queued. If we don't queue it, we have to put the ref we obtained by dequeuing it.
Also, MSG_PEEK doesn't dequeue the call so shouldn't call rxrpc_notify_socket() for the call if we didn't use up all the data on the queue, so fix that also.
{
"affected": [],
"aliases": [
"CVE-2026-23066"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix recvmsg() unconditional requeue\n\nIf rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at\nthe front of the recvmsg queue already has its mutex locked, it requeues\nthe call - whether or not the call is already queued. The call may be on\nthe queue because MSG_PEEK was also passed and so the call was not dequeued\nor because the I/O thread requeued it.\n\nThe unconditional requeue may then corrupt the recvmsg queue, leading to\nthings like UAFs or refcount underruns.\n\nFix this by only requeuing the call if it isn\u0027t already on the queue - and\nmoving it to the front if it is already queued. If we don\u0027t queue it, we\nhave to put the ref we obtained by dequeuing it.\n\nAlso, MSG_PEEK doesn\u0027t dequeue the call so shouldn\u0027t call\nrxrpc_notify_socket() for the call if we didn\u0027t use up all the data on the\nqueue, so fix that also.",
"id": "GHSA-rx25-rppp-x99w",
"modified": "2026-06-01T18:31:22Z",
"published": "2026-02-04T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23066"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0464bf75590da75b8413c3e758c04647b4cdb3c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2c28769a51deb6022d7fbd499987e237a01dd63a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8fd3b5e297854a4da0f273169baf4b1b7b257b97"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/930114425065f7ace6e0c0630fab4af75e059ea8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c198628f3fca5c874d93874c233014d336e09f64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6cebcb4e0b3140ec2ace45c020a9049527385d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf969bddd6e69c5777fa89dc88402204e72f312a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RXF6-323F-44FC
Vulnerability from github – Published: 2025-07-05 03:30 – Updated: 2025-08-01 19:17Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2gh3-rmm4-6rq5. This link is maintained to preserve external references.
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-07T21:59:34Z",
"nvd_published_at": "2025-07-05T01:15:28Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2gh3-rmm4-6rq5. This link is maintained to preserve external references.\n\n###\nThe protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.",
"id": "GHSA-rxf6-323f-44fc",
"modified": "2025-08-01T19:17:10Z",
"published": "2025-07-05T03:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53605"
},
{
"type": "WEB",
"url": "https://github.com/stepancheg/rust-protobuf/issues/749"
},
{
"type": "WEB",
"url": "https://github.com/stepancheg/rust-protobuf/commit/ee1d928785cff80cbdbedde29fbf5210654410f0"
},
{
"type": "WEB",
"url": "https://crates.io/crates/protobuf"
},
{
"type": "PACKAGE",
"url": "https://github.com/stepancheg/rust-protobuf"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0437"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: rust-protobuf crate is vulnerable to Uncontrolled Recursion, potentially leading to DoS",
"withdrawn": "2025-08-01T19:17:10Z"
}
GHSA-V3QX-X9JR-G987
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).
{
"affected": [],
"aliases": [
"CVE-2020-12243"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-28T19:15:00Z",
"severity": "HIGH"
},
"details": "In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash).",
"id": "GHSA-v3qx-x9jr-g987",
"modified": "2024-04-04T02:50:23Z",
"published": "2022-05-24T17:16:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12243"
},
{
"type": "WEB",
"url": "https://bugs.openldap.org/show_bug.cgi?id=9202"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGES"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00001.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200511-0003"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211289"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4352-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4352-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4666"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V3RJ-XJV7-4JMQ
Vulnerability from github – Published: 2026-03-25 21:03 – Updated: 2026-03-25 21:03Summary
An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.
The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.
Proof of concept
require("smol-toml").parse('# comment\n'.repeat(8000) + 'key = "value"')
Impact
Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.
Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.
As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.
Patches
Version 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.
Workarounds
Wrap all invocations of parse and stringify in a try/catch block when dealing with untrusted user input.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "smol-toml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T21:03:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nAn attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.\n\nThe library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.\n\n### Proof of concept\n```js\nrequire(\"smol-toml\").parse(\u0027# comment\\n\u0027.repeat(8000) + \u0027key = \"value\"\u0027)\n```\n\n### Impact\nApplications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.\n\nDue to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.\n\nAs a reminder, it is **strongly** advised when working with untrusted user input to expect errors to occur and to appropriately catch them.\n\n### Patches\nVersion 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.\n\n### Workarounds\nWrap all invocations of `parse` and `stringify` in a try/catch block when dealing with untrusted user input.",
"id": "GHSA-v3rj-xjv7-4jmq",
"modified": "2026-03-25T21:03:56Z",
"published": "2026-03-25T21:03:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/squirrelchat/smol-toml/security/advisories/GHSA-v3rj-xjv7-4jmq"
},
{
"type": "PACKAGE",
"url": "https://github.com/squirrelchat/smol-toml"
},
{
"type": "WEB",
"url": "https://github.com/squirrelchat/smol-toml/releases/tag/v1.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"
}
GHSA-V43P-PV9W-GQMF
Vulnerability from github – Published: 2026-02-21 21:30 – Updated: 2026-02-21 21:30A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2026-2887"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-21T21:16:11Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.",
"id": "GHSA-v43p-pv9w-gqmf",
"modified": "2026-02-21T21:30:27Z",
"published": "2026-02-21T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2887"
},
{
"type": "WEB",
"url": "https://github.com/aardappel/lobster/issues/397"
},
{
"type": "WEB",
"url": "https://github.com/aardappel/lobster/issues/397#issuecomment-3849015088"
},
{
"type": "WEB",
"url": "https://github.com/aardappel/lobster/commit/8ba49f98ccfc9734ef352146806433a41d9f9aa6"
},
{
"type": "WEB",
"url": "https://github.com/aardappel/lobster"
},
{
"type": "WEB",
"url": "https://github.com/aardappel/lobster/releases/tag/v2026.1"
},
{
"type": "WEB",
"url": "https://github.com/oneafter/0204/blob/main/lob3/repro.lobster"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.347181"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.347181"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.755026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V5PM-XWQC-G5WC
Vulnerability from github – Published: 2026-06-30 15:56 – Updated: 2026-07-06 12:57Impact
A small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths.
Affected versions
>= 2.0.0-preview.11, <= 2.7.4>= 3.0.0, <= 3.5.3
Patches
- For the 2.X major version, versions 2.7.5 and above are patched.
- For the 3.X major version, versions 3.5.4 and above are patched.
- For the 1.X major version, the issue does not apply since that version of the library could not resolve references that pointed to another reference.
Impact
Applications, CLIs, developer tools, or services that parse untrusted OpenAPI documents in-process may be terminated by a crafted OpenAPI document containing circular schema references.
The impact is availability/process termination only. This report does not claim remote code execution, authentication bypass, credential exposure, privilege escalation, data exposure, or Microsoft hosted service impact.
Details
A standalone isolated-process harness confirmed repeatable process termination through public OpenAPI.NET reader APIs. The issue reproduces in the affected released NuGet packages and affects both JSON and YAML reader paths.
A separate Microsoft-owned local consumer, microsoft/kiota, also reproduces the termination through the kiota show --openapi <file> workflow. That workflow parses OpenAPI files in-process using Microsoft.OpenApi and Microsoft.OpenApi.YamlReader.
Example payload
{
"openapi": "3.0.0",
"info": {
"title": "Test",
"version": "0.0.1"
},
"paths": {},
"components": {
"schemas": {
"A": {
"$ref": "#/components/schemas/B"
},
"B": {
"$ref": "#/components/schemas/A"
}
}
}
}
Remediation
Users should upgrade to Microsoft.OpenApi 2.7.5 or 3.5.4, depending on the major version line they consume.
Applications that parse OpenAPI documents from untrusted sources should avoid parsing those documents in the primary application process when possible. Running parsing in an isolated process can reduce the blast radius of parser failures.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.4"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.OpenApi"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-preview.11"
},
{
"fixed": "2.7.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.3"
},
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.OpenApi"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49451"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T15:56:24Z",
"nvd_published_at": "2026-06-30T17:16:22Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths.\n\n## Affected versions\n\n- `\u003e= 2.0.0-preview.11, \u003c= 2.7.4`\n- `\u003e= 3.0.0, \u003c= 3.5.3`\n\n### Patches\n\n- For the 2.X major version, versions 2.7.5 and above are patched.\n- For the 3.X major version, versions 3.5.4 and above are patched.\n- For the 1.X major version, the issue does not apply since that version of the library *could not* resolve references that pointed to another reference.\n\n## Impact\n\nApplications, CLIs, developer tools, or services that parse untrusted OpenAPI documents in-process may be terminated by a crafted OpenAPI document containing circular schema references.\n\nThe impact is availability/process termination only. This report does not claim remote code execution, authentication bypass, credential exposure, privilege escalation, data exposure, or Microsoft hosted service impact.\n\n## Details\n\nA standalone isolated-process harness confirmed repeatable process termination through public OpenAPI.NET reader APIs. The issue reproduces in the affected released NuGet packages and affects both JSON and YAML reader paths.\n\nA separate Microsoft-owned local consumer, `microsoft/kiota`, also reproduces the termination through the `kiota show --openapi \u003cfile\u003e` workflow. That workflow parses OpenAPI files in-process using Microsoft.OpenApi and Microsoft.OpenApi.YamlReader.\n\n### Example payload\n\n```json\n{\n \"openapi\": \"3.0.0\",\n \"info\": {\n \"title\": \"Test\",\n \"version\": \"0.0.1\"\n },\n \"paths\": {},\n \"components\": {\n \"schemas\": {\n \"A\": {\n \"$ref\": \"#/components/schemas/B\"\n },\n \"B\": {\n \"$ref\": \"#/components/schemas/A\"\n }\n }\n }\n}\n```\n\n## Remediation\n\nUsers should upgrade to Microsoft.OpenApi `2.7.5` or `3.5.4`, depending on the major version line they consume.\n\nApplications that parse OpenAPI documents from untrusted sources should avoid parsing those documents in the primary application process when possible. Running parsing in an isolated process can reduce the blast radius of parser failures.",
"id": "GHSA-v5pm-xwqc-g5wc",
"modified": "2026-07-06T12:57:29Z",
"published": "2026-06-30T15:56:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/microsoft/OpenAPI.NET/security/advisories/GHSA-v5pm-xwqc-g5wc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49451"
},
{
"type": "PACKAGE",
"url": "https://github.com/microsoft/OpenAPI.NET"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing"
}
GHSA-V5RQ-2Q5P-P82V
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2024-03-21 03:33** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.
{
"affected": [],
"aliases": [
"CVE-2019-9192"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-26T18:29:00Z",
"severity": "HIGH"
},
"details": "** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by \u0027(|)(\\\\1\\\\1)*\u0027 in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern.",
"id": "GHSA-v5rq-2q5p-p82v",
"modified": "2024-03-21T03:33:33Z",
"published": "2022-05-13T01:23:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9192"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=24269"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K26346590?utm_source=f5support\u0026amp;utm_medium=RSS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.