Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-WJWR-9F4Q-Q8H8

Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-05-24 16:56
VLAI
Details

In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more \u0027/\u0027 characters, i.e. the topic hierarchy separator, then a stack overflow will occur.",
  "id": "GHSA-wjwr-9f4q-q8h8",
  "modified": "2022-05-24T16:56:28Z",
  "published": "2022-05-24T16:56:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11779"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWNVTFA2CKXERXRYPYE2YFTZP4GNBGYY"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Nov/25"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4137-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4570"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WMHF-FQC8-VXHH

Vulnerability from github – Published: 2026-05-19 20:10 – Updated: 2026-07-06 22:53
VLAI
Summary
SQLFluff: Recursive Stack Overflow in Parser
Details

Impact

In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.

Patches

Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.

Credit

Ori Nakar from Imperva Threat Research Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sqlfluff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T20:10:17Z",
    "nvd_published_at": "2026-06-09T23:16:59Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.\n\n### Patches\n\nVersions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.\n\n### Credit\n\nOri Nakar from Imperva Threat Research Team.",
  "id": "GHSA-wmhf-fqc8-vxhh",
  "modified": "2026-07-06T22:53:18Z",
  "published": "2026-05-19T20:10:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46373"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/sqlfluff/PYSEC-2026-209.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sqlfluff/sqlfluff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SQLFluff: Recursive Stack Overflow in Parser"
}

GHSA-WQH3-2WQG-RQ54

Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08
VLAI
Details

An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in lib\\cdt\\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\\cgraph\\graph.c in libcgraph.a, related to agfstsubg in lib\\cgraph\\subg.c.",
  "id": "GHSA-wqh3-2wqg-rq54",
  "modified": "2022-05-13T01:08:56Z",
  "published": "2022-05-13T01:08:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9904"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/graphviz/graphviz/issues/1512"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/stack-buffer-overflow-in-function-agclose-graphviz"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR8R-279J-G4XP

Vulnerability from github – Published: 2025-10-12 15:30 – Updated: 2025-10-12 15:30
VLAI
Details

IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33096"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-12T14:15:36Z",
    "severity": "MODERATE"
  },
  "details": "IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.",
  "id": "GHSA-wr8r-279j-g4xp",
  "modified": "2025-10-12T15:30:16Z",
  "published": "2025-10-12T15:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33096"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7247716"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVRR-4W4F-3V54

Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31
VLAI
Details

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T23:17:03Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in MongoDB Server\u0027s BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator\u0027s handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.",
  "id": "GHSA-wvrr-4w4f-3v54",
  "modified": "2026-06-10T00:31:50Z",
  "published": "2026-06-10T00:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9740"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-125063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WVXW-Q92G-9GHF

Vulnerability from github – Published: 2026-06-04 18:30 – Updated: 2026-06-04 21:31
VLAI
Details

Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.

The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.

If the argument was not a well-formed IP address, then this would lead to indefinite recursion.

An attacker could use this to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T17:16:33Z",
    "severity": "HIGH"
  },
  "details": "Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.\n\nThe add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.\n\nIf the argument was not a well-formed IP address, then this would lead to indefinite recursion.\n\nAn attacker could use this to cause a denial of service.",
  "id": "GHSA-wvxw-q92g-9ghf",
  "modified": "2026-06-04T21:31:21Z",
  "published": "2026-06-04T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49941"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/04/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW3G-X39P-R2PW

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.",
  "id": "GHSA-ww3g-x39p-r2pw",
  "modified": "2022-05-13T01:12:22Z",
  "published": "2022-05-13T01:12:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0001"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10900"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMKFSHPMOZL7MDWU5RYOTIBTRWSZ4Z6X"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7CPKBW4QZ4VIY4UXIUVUSHRJ4R2FROE"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX32-7CG6-9X4F

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-12-21 15:30
VLAI
Details

A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among PdfTokenizer::ReadArray(), PdfTokenizer::GetNextVariant() and PdfTokenizer::ReadDataType() functions can lead to a stack overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-30470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among PdfTokenizer::ReadArray(), PdfTokenizer::GetNextVariant() and PdfTokenizer::ReadDataType() functions can lead to a stack overflow.",
  "id": "GHSA-wx32-7cg6-9x4f",
  "modified": "2022-12-21T15:30:16Z",
  "published": "2022-05-24T19:03:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30470"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947436"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X23X-4P2X-538Q

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:08
VLAI
Details

An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:31Z",
    "severity": "MODERATE"
  },
  "details": "An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.",
  "id": "GHSA-x23x-4p2x-538q",
  "modified": "2024-04-04T07:08:14Z",
  "published": "2023-08-22T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48545"
    },
    {
      "type": "WEB",
      "url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42092"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X27M-9W8J-5VCW

Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2023-01-02 21:50
VLAI
Summary
Jettison memory exhaustion
Details

Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.jettison:jettison"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-40150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-20T21:20:42Z",
    "nvd_published_at": "2022-09-16T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.",
  "id": "GHSA-x27m-9w8j-5vcw",
  "modified": "2023-01-02T21:50:43Z",
  "published": "2022-09-17T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jettison-json/jettison/issues/45"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jettison-json/jettison"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5312"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jettison memory exhaustion"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.