Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-38X5-6RJP-VC28

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-04T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.",
  "id": "GHSA-38x5-6rjp-vc28",
  "modified": "2022-05-13T01:50:21Z",
  "published": "2022-05-13T01:50:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenSC/OpenSC/commit/03628449b75a93787eb2359412a3980365dda49b#diff-f8c0128e14031ed9307d47f10f601b54"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-397J-7MPF-RM74

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-18T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054.",
  "id": "GHSA-397j-7mpf-rm74",
  "modified": "2022-05-13T01:49:10Z",
  "published": "2022-05-13T01:49:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11254"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576174"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39FP-MQMM-GXJ6

Vulnerability from github – Published: 2024-03-29 16:36 – Updated: 2025-05-07 18:49
VLAI
Summary
CodeIgniter4 DoS Vulnerability
Details

Impact

A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.

Patches

Upgrade to v4.4.7 or later. See upgrading guide.

Workarounds

  • Disabling Auto Routing prevents a known attack vector in the framework.
  • Do not pass invalid values to the lang() function or Language class.

References

  • https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization
  • https://codeigniter4.github.io/userguide/general/common_functions.html#lang
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "codeigniter4/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-29T16:36:38Z",
    "nvd_published_at": "2024-03-29T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.\n\n### Patches\nUpgrade to v4.4.7 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_447.html).\n\n### Workarounds\n- Disabling Auto Routing prevents a known attack vector in the framework.\n- Do not pass invalid values to the `lang()` function or `Language` class.\n\n### References\n- https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization\n- https://codeigniter4.github.io/userguide/general/common_functions.html#lang",
  "id": "GHSA-39fp-mqmm-gxj6",
  "modified": "2025-05-07T18:49:41Z",
  "published": "2024-03-29T16:36:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/commit/fa851acbae7ae4c5a97f8f38ae87aa0822a334c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codeigniter4/CodeIgniter4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CodeIgniter4 DoS Vulnerability"
}

GHSA-39VW-QP34-RMWF

Vulnerability from github – Published: 2021-08-25 21:00 – Updated: 2023-06-13 21:03
VLAI
Summary
Uncontrolled recursion leads to abort in deserialization
Details

Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "serde_yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0-rc1"
            },
            {
              "fixed": "0.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-06T17:45:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.\n",
  "id": "GHSA-39vw-qp34-rmwf",
  "modified": "2023-06-13T21:03:35Z",
  "published": "2021-08-25T21:00:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dtolnay/serde-yaml/pull/105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dtolnay/serde-yaml/commit/b93aff6e904cffbbfd1f421b82f6dcc5ca19a4fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dtolnay/serde-yaml"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0005.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Uncontrolled recursion leads to abort in deserialization"
}

GHSA-3C37-WWVX-H642

Vulnerability from github – Published: 2026-03-23 20:23 – Updated: 2026-03-25 20:38
VLAI
Summary
cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
Details

Summary

  • The cbor2 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures.
  • This vulnerability affects both the pure Python implementation and the C extension (_cbor2). The C extension correctly uses Python's C-API for recursion protection (Py_EnterRecursiveCall), but this mechanism is designed to prevent a stack overflow by raising a RecursionError. In some environments, this exception is not caught, thus causing the service process to terminate.
  • While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python's global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g., 0x81). When cbor2.loads() attempts to parse this, it hits the interpreter's recursion limit, causing the call to raise a RecursionError.
  • By sending a stream of small (<100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.

Details

  • The vulnerability stems from the recursive design of the CBORDecoder class, specifically how it decodes nested container types like Arrays and Maps.
  • Inside decode_array (and similarly decode_map), the decoder iterates through the number of elements specified in the CBOR header. For each element, it calls self.decode() again to parse the nested item. This recursive call lacks a depth-tracking mechanism.
  • Vulnerable Code Locations:
  • cbor2/decoder.py (Pure Python implementation)
  • source/decoder.c (C extension implementation)
  • Execution Flow:
  • The cbor2.loads() function initializes a CBORDecoder and calls its decode() method.
  • The decode() method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it calls decode_array.
  • decode_array loops and calls self.decode() for each item, leading to deep recursion when parsing a payload like [...[...[1]...]...].

PoC

import cbor2

DEPTH = 1000

payload = b'\x81' * DEPTH + b'\x01'
print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering decoder...")

try:
    cbor2.loads(payload)
    print("[+] Parsed successfully (Not Vulnerable)")
except RecursionError:
    print("\n[!] VULNERABLE: RecursionError triggered!")
except Exception as e:
    print(f"\n[-] Unexpected Error: {type(e).__name__}: {e}")

Impact

  • Scope: This vulnerability affects any application using cbor2 to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption).
  • Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.

Credit

This issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "cbor2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T20:23:57Z",
    "nvd_published_at": "2026-03-23T19:16:39Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n- The `cbor2` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures.\n- This vulnerability affects both the pure Python implementation and the C extension (`_cbor2`). The C extension correctly uses Python\u0027s C-API for recursion protection (`Py_EnterRecursiveCall`), but this mechanism is designed to prevent a stack overflow by raising a `RecursionError`. In some environments, this exception is not caught, thus causing the service process to terminate.\n- While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python\u0027s global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g., `0x81`). When `cbor2.loads()` attempts to parse this, it hits the interpreter\u0027s recursion limit, causing the call to raise a `RecursionError`.\n- By sending a stream of small (\u003c100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.\n\n### Details\n\n- The vulnerability stems from the recursive design of the `CBORDecoder` class, specifically how it decodes nested container types like Arrays and Maps.\n- Inside `decode_array` (and similarly `decode_map`), the decoder iterates through the number of elements specified in the CBOR header. For each element, it calls `self.decode()` again to parse the nested item. This recursive call lacks a depth-tracking mechanism.\n- Vulnerable Code Locations:\n  - `cbor2/decoder.py` (Pure Python implementation)\n  - `source/decoder.c` (C extension implementation)\n- Execution Flow:\n  1. The `cbor2.loads()` function initializes a `CBORDecoder` and calls its `decode()` method.\n  2. The `decode()` method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it calls `decode_array`.\n  3. `decode_array` loops and calls `self.decode()` for each item, leading to deep recursion when parsing a payload like `[...[...[1]...]...]`.\n\n### PoC\n\n```\nimport cbor2\n\nDEPTH = 1000\n\npayload = b\u0027\\x81\u0027 * DEPTH + b\u0027\\x01\u0027\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering decoder...\")\n\ntry:\n    cbor2.loads(payload)\n    print(\"[+] Parsed successfully (Not Vulnerable)\")\nexcept RecursionError:\n    print(\"\\n[!] VULNERABLE: RecursionError triggered!\")\nexcept Exception as e:\n    print(f\"\\n[-] Unexpected Error: {type(e).__name__}: {e}\")\n```\n\n### Impact\n\n- Scope: This vulnerability affects any application using `cbor2` to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption).\n- Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.\n\n### Credit\n\nThis issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.",
  "id": "GHSA-3c37-wwvx-h642",
  "modified": "2026-03-25T20:38:41Z",
  "published": "2026-03-23T20:23:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/pull/275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agronholm/cbor2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads"
}

GHSA-3F92-Q4C5-7PPR

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-31T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many \u0027{\u0027 characters in jsparse.c.",
  "id": "GHSA-3f92-q4c5-7ppr",
  "modified": "2022-05-13T01:49:18Z",
  "published": "2022-05-13T01:49:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/espruino/Espruino/issues/1448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/espruino/Espruino/commit/51380baf17241728b6d48cdb84140b931e3e3cc5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FFH-3H59-484G

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-09-20 00:30
VLAI
Details

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-22T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.",
  "id": "GHSA-3ffh-3h59-484g",
  "modified": "2023-09-20T00:30:15Z",
  "published": "2022-05-24T17:07:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/issues/724"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FGQ-P3W2-7Q9W

Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00
VLAI
Details

An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-19T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users with the editinterface permission can trigger infinite recursion, because a bare local interwiki is mishandled for the mainpage message.",
  "id": "GHSA-3fgq-p3w2-7q9w",
  "modified": "2022-09-22T00:00:26Z",
  "published": "2022-09-20T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28201"
    },
    {
      "type": "WEB",
      "url": "https://blog.legoktm.com/2022/07/03/a-belated-writeup-of-cve-2022-28201-in-mediawiki.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T297571"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5246"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3GF2-723M-W3FV

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2025-05-30 21:30
VLAI
Details

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.",
  "id": "GHSA-3gf2-723m-w3fv",
  "modified": "2025-05-30T21:30:52Z",
  "published": "2022-02-19T00:01:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/pull/558"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-24"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220303-0008"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5085"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/19/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3HJH-JH2H-VRG6

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-11-04 15:27
VLAI
Summary
Denial of service in langchain-community
Details

Denial of service in SitemapLoader Document Loader in the langchain-community package, affecting versions below 0.2.5. The parse_sitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langchain-community"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langchain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-2965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-06T22:20:20Z",
    "nvd_published_at": "2024-06-06T19:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.",
  "id": "GHSA-3hjh-jh2h-vrg6",
  "modified": "2024-11-04T15:27:57Z",
  "published": "2024-06-06T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain/pull/22903"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langchain"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service in langchain-community"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.