Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1057 vulnerabilities reference this CWE, most recent first.

GHSA-3W69-J4HP-RVH4

Vulnerability from github – Published: 2025-04-15 15:30 – Updated: 2025-08-20 09:30
VLAI
Details

This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T15:16:09Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the \"inbox\" endpoint when\u00a0receiving crafted ActivityPub activities.",
  "id": "GHSA-3w69-j4hp-rvh4",
  "modified": "2025-08-20T09:30:38Z",
  "published": "2025-04-15T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32947"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chocobozzz/PeerTube/commit/76226d85685220db1495025300eca784d0336f7d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/peertube-activitypub-crawl-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3WR5-MP77-P74F

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:41
VLAI
Details

A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an "infinite loop."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-25T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, which allows attackers to cause a denial of service via a crafted file, related to the QPDFTokenizer::resolveLiteral function in QPDFTokenizer.cc after four consecutive calls to QPDFObjectHandle::parseInternal, aka an \"infinite loop.\"",
  "id": "GHSA-3wr5-mp77-p74f",
  "modified": "2025-04-20T03:41:28Z",
  "published": "2022-05-13T01:42:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qpdf/qpdf/issues/119"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3638-1"
    },
    {
      "type": "WEB",
      "url": "http://somevulnsofadlab.blogspot.jp/2017/07/qpdfan-infinite-loop-in-libqpdf_65.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3WWW-Q54H-9529

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-07T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, While processing the RIC Data Descriptor IE in an artificially crafted 802.11 frame with IE length more than 255, an infinite loop may potentially occur resulting in a denial of service.",
  "id": "GHSA-3www-q54h-9529",
  "modified": "2022-05-13T01:44:01Z",
  "published": "2022-05-13T01:44:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15835"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2018-11-01#qualcomm-components"
    },
    {
      "type": "WEB",
      "url": "https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3X7H-5HFR-HVJM

Vulnerability from github – Published: 2018-10-19 16:54 – Updated: 2021-08-31 21:36
VLAI
Summary
Moderate severity vulnerability that affects io.undertow:undertow-core
Details

It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-2670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:56:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.",
  "id": "GHSA-3x7h-5hfr-hvjm",
  "modified": "2021-08-31T21:36:39Z",
  "published": "2018-10-19T16:54:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2670"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-3x7h-5hfr-hvjm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moderate severity vulnerability that affects io.undertow:undertow-core"
}

GHSA-3XPW-25QV-R984

Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24
VLAI
Details

Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-06-05T22:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248.",
  "id": "GHSA-3xpw-25qv-r984",
  "modified": "2022-05-13T01:24:52Z",
  "published": "2022-05-13T01:24:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1186"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/76139"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2012-06/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/47926"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48974"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/49043"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/49317"
    },
    {
      "type": "WEB",
      "url": "http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-1435-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2462"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/19/5"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/80555"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/51957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-433P-JX86-Q7VW

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

The function wav_read in libwav.c in libwav through 2017-04-20 has an infinite loop.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-13T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "The function wav_read in libwav.c in libwav through 2017-04-20 has an infinite loop.",
  "id": "GHSA-433p-jx86-q7vw",
  "modified": "2022-05-13T01:49:54Z",
  "published": "2022-05-13T01:49:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14051"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marc-q/libwav/issues/21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fouzhe/security/tree/master/libwav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43MH-3PGG-2XJC

Vulnerability from github – Published: 2026-01-27 09:30 – Updated: 2026-01-27 09:30
VLAI
Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C.

This issue affects lede: through r25.10.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T09:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C.\n\nThis issue affects lede: through r25.10.1.",
  "id": "GHSA-43mh-3pgg-2xjc",
  "modified": "2026-01-27T09:30:30Z",
  "published": "2026-01-27T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coolsnowwolf/lede/pull/13346"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-43RM-FV4G-CMJ8

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-06-08 00:00
VLAI
Details

A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-02T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.",
  "id": "GHSA-43rm-fv4g-cmj8",
  "modified": "2022-06-08T00:00:32Z",
  "published": "2022-05-24T19:03:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3468"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939614"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00028.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43W5-MMXV-CPVH

Vulnerability from github – Published: 2026-03-17 16:59 – Updated: 2026-03-31 18:45
VLAI
Summary
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
Details

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name).

Example

With such an application

package dosform;

import io.micronaut.http.HttpResponse;
import io.micronaut.http.MediaType;
import io.micronaut.http.annotation.Body;
import io.micronaut.http.annotation.Consumes;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.Post;
import io.micronaut.http.annotation.Produces;

import java.net.URI;

@Controller
class HomeController {

    @Produces(MediaType.TEXT_HTML)
    @Get
    String index() {
        return """
                <!DOCTYPE html>
                <html>
                <head>
                <title></title>
                </head>
                <body>
    <form action="/submit" method="post">
      <label for="firstAuthor">Fist Author</label>
      <input id="firstAuthor" name="authors[0].name" type="text"/>

      <label for="secondAuthor">Second Author</label>
      <input id="secondAuthor" name="authors[1].name" type="text"/>

      <label for="thirdAuthor">Third Author</label>
      <input id="thirdAuthor" name="authors[2].name" type="text"/>

      <button type="submit">Submit</button>
    </form>

                </body>
                </html>
                """;
    }

    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Post("/submit")
    HttpResponse<?> submit(@Body Book book) {
        return HttpResponse.seeOther(URI.create("/"));
    }
}
package dosform;

import io.micronaut.core.annotation.Introspected;

import java.util.Objects;

@Introspected
public class Author {
    private String name;
    public String getName() { return name; }
    public void setName(String name) { this.name = name; }

    @Override
    public final boolean equals(Object o) {
        if (!(o instanceof Author)) return false;

        Author author = (Author) o;
        return Objects.equals(name, author.name);
    }

    @Override
    public int hashCode() {
        return Objects.hashCode(name);
    }

    @Override
    public String toString() {
        return "Author{" +
                "name='" + name + '\'' +
                '}';
    }
}
package dosform;

import io.micronaut.core.annotation.Introspected;

import java.util.List;
import java.util.Objects;

@Introspected
public class Book {
    private List<Author> authors;
    public List<Author> getAuthors() { return authors; }
    public void setAuthors(List<Author> authors) { this.authors = authors; }

    @Override
    public final boolean equals(Object o) {
        if (!(o instanceof Book)) return false;

        Book book = (Book) o;
        return Objects.equals(authors, book.authors);
    }

    @Override
    public int hashCode() {
        return Objects.hashCode(authors);
    }

    @Override
    public String toString() {
        return "Book{" +
                "authors=" + authors +
                '}';
    }
}

Sending curl -v -X POST 'http://127.0.0.1:8080/submit' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'authors[1].name=RobertGalbraith' --data-urlencode 'authors[0].name=JKRowling' causes sustained CPU usage and unbounded memory growth (eventually OutOfMemoryError).

Patches

For Micronaut 4, the problem has been patched in micronaut-core, dependencies with group id io.micronaut, since 4.10.16.

For Micronaut 3, the problem has been patched since 3.10.5

Users upgrade to the latest version of the framework.

Workarounds

There is no way for users to fix or remediate the vulnerability without upgrading.

References

PR Fix: https://github.com/micronaut-projects/micronaut-core/pull/12410

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-json-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-M1"
            },
            {
              "fixed": "4.10.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-json-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-json-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T16:59:59Z",
    "nvd_published_at": "2026-03-20T05:16:15Z",
    "severity": "HIGH"
  },
  "details": "In `JsonBeanPropertyBinder::expandArrayToThreshold` in `io.micronaut:micronaut-json-core` before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., `authors[1].name` followed by `authors[0].name`).\n\n### Example\n\nWith such an application\n\n```java\npackage dosform;\n\nimport io.micronaut.http.HttpResponse;\nimport io.micronaut.http.MediaType;\nimport io.micronaut.http.annotation.Body;\nimport io.micronaut.http.annotation.Consumes;\nimport io.micronaut.http.annotation.Controller;\nimport io.micronaut.http.annotation.Get;\nimport io.micronaut.http.annotation.Post;\nimport io.micronaut.http.annotation.Produces;\n\nimport java.net.URI;\n\n@Controller\nclass HomeController {\n\n    @Produces(MediaType.TEXT_HTML)\n    @Get\n    String index() {\n        return \"\"\"\n                \u003c!DOCTYPE html\u003e\n                \u003chtml\u003e\n                \u003chead\u003e\n                \u003ctitle\u003e\u003c/title\u003e\n                \u003c/head\u003e\n                \u003cbody\u003e\n    \u003cform action=\"/submit\" method=\"post\"\u003e\n      \u003clabel for=\"firstAuthor\"\u003eFist Author\u003c/label\u003e\n      \u003cinput id=\"firstAuthor\" name=\"authors[0].name\" type=\"text\"/\u003e\n\n      \u003clabel for=\"secondAuthor\"\u003eSecond Author\u003c/label\u003e\n      \u003cinput id=\"secondAuthor\" name=\"authors[1].name\" type=\"text\"/\u003e\n      \n      \u003clabel for=\"thirdAuthor\"\u003eThird Author\u003c/label\u003e\n      \u003cinput id=\"thirdAuthor\" name=\"authors[2].name\" type=\"text\"/\u003e\n\n      \u003cbutton type=\"submit\"\u003eSubmit\u003c/button\u003e\n    \u003c/form\u003e\n               \n                \u003c/body\u003e\n                \u003c/html\u003e\n                \"\"\";\n    }\n\n    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)\n    @Post(\"/submit\")\n    HttpResponse\u003c?\u003e submit(@Body Book book) {\n        return HttpResponse.seeOther(URI.create(\"/\"));\n    }\n}\npackage dosform;\n\nimport io.micronaut.core.annotation.Introspected;\n\nimport java.util.Objects;\n\n@Introspected\npublic class Author {\n    private String name;\n    public String getName() { return name; }\n    public void setName(String name) { this.name = name; }\n\n    @Override\n    public final boolean equals(Object o) {\n        if (!(o instanceof Author)) return false;\n\n        Author author = (Author) o;\n        return Objects.equals(name, author.name);\n    }\n\n    @Override\n    public int hashCode() {\n        return Objects.hashCode(name);\n    }\n\n    @Override\n    public String toString() {\n        return \"Author{\" +\n                \"name=\u0027\" + name + \u0027\\\u0027\u0027 +\n                \u0027}\u0027;\n    }\n}\npackage dosform;\n\nimport io.micronaut.core.annotation.Introspected;\n\nimport java.util.List;\nimport java.util.Objects;\n\n@Introspected\npublic class Book {\n    private List\u003cAuthor\u003e authors;\n    public List\u003cAuthor\u003e getAuthors() { return authors; }\n    public void setAuthors(List\u003cAuthor\u003e authors) { this.authors = authors; }\n\n    @Override\n    public final boolean equals(Object o) {\n        if (!(o instanceof Book)) return false;\n\n        Book book = (Book) o;\n        return Objects.equals(authors, book.authors);\n    }\n\n    @Override\n    public int hashCode() {\n        return Objects.hashCode(authors);\n    }\n\n    @Override\n    public String toString() {\n        return \"Book{\" +\n                \"authors=\" + authors +\n                \u0027}\u0027;\n    }\n}\n```\n\nSending `curl -v -X POST \u0027http://127.0.0.1:8080/submit\u0027 -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 --data-urlencode \u0027authors[1].name=RobertGalbraith\u0027 --data-urlencode \u0027authors[0].name=JKRowling\u0027` causes sustained CPU usage and unbounded memory growth (eventually `OutOfMemoryError`). \n\n### Patches\nFor Micronaut 4, the problem has been patched in `micronaut-core`, dependencies with group id `io.micronaut`, since [4.10.16](https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16).\n\nFor Micronaut 3, the problem has been patched since [3.10.5](https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5)\n\nUsers upgrade to the latest version of the framework. \n\n### Workarounds\nThere is no way for users to fix or remediate the vulnerability without upgrading.\n\n### References\nPR Fix: https://github.com/micronaut-projects/micronaut-core/pull/12410",
  "id": "GHSA-43w5-mmxv-cpvh",
  "modified": "2026-03-31T18:45:02Z",
  "published": "2026-03-17T16:59:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43w5-mmxv-cpvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/pull/12410"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/1afe509677c51b320041b7a2c177366d4a4deb55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices"
}

GHSA-45C7-642Q-QM9M

Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-06-25 18:31
VLAI
Details

An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-20T15:15:11Z",
    "severity": "HIGH"
  },
  "details": "An infinite loop vulnerability was found in Samba\u0027s mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.",
  "id": "GHSA-45c7-642q-qm9m",
  "modified": "2024-06-25T18:31:20Z",
  "published": "2023-07-20T18:33:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34966"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:6667"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:7139"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0423"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0580"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:4101"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-34966"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222793"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT74M42E6C36W7PQVY3OS4ZM7DVYB64Z"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230731-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5477"
    },
    {
      "type": "WEB",
      "url": "https://www.samba.org/samba/security/CVE-2023-34966"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.