CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-3HW2-H67C-WQ66
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2025-09-30 17:57Akka HTTP 10.1.x and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 10.1.15"
},
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.13.0-RC3"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 10.1.15"
},
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.13.0-RC2"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 10.1.15"
},
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.13.0-M5"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 10.1.15"
},
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:aakka-http-core_2.13.0-M3"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.13"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.13"
},
"ranges": [
{
"events": [
{
"introduced": "10.2.0-M1"
},
{
"fixed": "10.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "10.2.0-M1"
},
{
"fixed": "10.2.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.typesafe.akka:akka-http-core_2.11"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-42697"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-21T20:08:40Z",
"nvd_published_at": "2021-11-02T22:15:00Z",
"severity": "HIGH"
},
"details": "Akka HTTP 10.1.x and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.",
"id": "GHSA-3hw2-h67c-wq66",
"modified": "2025-09-30T17:57:30Z",
"published": "2022-05-24T19:19:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42697"
},
{
"type": "WEB",
"url": "https://github.com/akka/akka-http/pull/3924"
},
{
"type": "WEB",
"url": "https://akka.io/blog"
},
{
"type": "WEB",
"url": "https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released"
},
{
"type": "WEB",
"url": "https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released"
},
{
"type": "WEB",
"url": "https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/akka/akka-http"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Recursion in Akka HTTP"
}
GHSA-3JCC-VP6F-3WJ7
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion.
{
"affected": [],
"aliases": [
"CVE-2018-16300"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-03T16:15:00Z",
"severity": "HIGH"
},
"details": "The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion.",
"id": "GHSA-3jcc-vp6f-3wj7",
"modified": "2024-04-04T02:08:17Z",
"published": "2022-05-24T16:57:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16300"
},
{
"type": "WEB",
"url": "https://github.com/the-tcpdump-group/tcpdump/commit/af2cf04a9394c1a56227c2289ae8da262828294a"
},
{
"type": "WEB",
"url": "https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Dec/23"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Oct/28"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200120-0001"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT210788"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4252-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4252-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4547"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Dec/26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3JPJ-5QJM-M8R4
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected.
{
"affected": [],
"aliases": [
"CVE-2019-13955"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-26T13:15:00Z",
"severity": "MODERATE"
},
"details": "Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected.",
"id": "GHSA-3jpj-5qjm-m8r4",
"modified": "2024-04-04T01:23:22Z",
"published": "2022-05-24T16:51:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13955"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2019/Jul/20"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153733/Mikrotik-RouterOS-Resource-Stack-Exhaustion.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3M27-46P7-W7MH
Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-10-29 18:30In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
A listening socket linked to a sockmap has its sk_prot overridden. It points to one of the struct proto variants in tcp_bpf_prots. The variant depends on the socket's family and which sockmap programs are attached.
A child socket cloned from a TCP listener initially inherits their sk_prot. But before cloning is finished, we restore the child's proto to the listener's original non-tcp_bpf_prots one. This happens in tcp_create_openreq_child -> tcp_bpf_clone.
Today, in tcp_bpf_clone we detect if the child's proto should be restored by checking only for the TCP_BPF_BASE proto variant. This is not correct. The sk_prot of listening socket linked to a sockmap can point to to any variant in tcp_bpf_prots.
If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then the child socket unintentionally is left if the inherited sk_prot by tcp_bpf_clone.
This leads to issues like infinite recursion on close 1, because the child state is otherwise not set up for use with tcp_bpf_prot operations.
Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.
Note that it wouldn't be sufficient to check the socket state when overriding the sk_prot in tcp_bpf_update_proto in order to always use the TCP_BPF_BASE variant for listening sockets. Since commit b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") it is possible for a socket to transition to TCP_LISTEN state while already linked to a sockmap, e.g. connect() -> insert into map -> connect(AF_UNSPEC) -> listen().
{
"affected": [],
"aliases": [
"CVE-2023-52986"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T17:15:45Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener\n\nA listening socket linked to a sockmap has its sk_prot overridden. It\npoints to one of the struct proto variants in tcp_bpf_prots. The variant\ndepends on the socket\u0027s family and which sockmap programs are attached.\n\nA child socket cloned from a TCP listener initially inherits their sk_prot.\nBut before cloning is finished, we restore the child\u0027s proto to the\nlistener\u0027s original non-tcp_bpf_prots one. This happens in\ntcp_create_openreq_child -\u003e tcp_bpf_clone.\n\nToday, in tcp_bpf_clone we detect if the child\u0027s proto should be restored\nby checking only for the TCP_BPF_BASE proto variant. This is not\ncorrect. The sk_prot of listening socket linked to a sockmap can point to\nto any variant in tcp_bpf_prots.\n\nIf the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then\nthe child socket unintentionally is left if the inherited sk_prot by\ntcp_bpf_clone.\n\nThis leads to issues like infinite recursion on close [1], because the\nchild state is otherwise not set up for use with tcp_bpf_prot operations.\n\nAdjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.\n\nNote that it wouldn\u0027t be sufficient to check the socket state when\noverriding the sk_prot in tcp_bpf_update_proto in order to always use the\nTCP_BPF_BASE variant for listening sockets. Since commit\nb8b8315e39ff (\"bpf, sockmap: Remove unhash handler for BPF sockmap usage\")\nit is possible for a socket to transition to TCP_LISTEN state while already\nlinked to a sockmap, e.g. connect() -\u003e insert into map -\u003e\nconnect(AF_UNSPEC) -\u003e listen().\n\n[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/",
"id": "GHSA-3m27-46p7-w7mh",
"modified": "2025-10-29T18:30:29Z",
"published": "2025-03-27T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52986"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12b0ec7c6953e1602957926439e5297095d7d065"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9bd6074e1872d22190a8da30e796cbf937d334f0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c681d7a4ed3d360de0574f4d6b7305a8de8dc54f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ddce1e091757d0259107c6c0c7262df201de2b66"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3P2W-3263-9GR3
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.
{
"affected": [],
"aliases": [
"CVE-2022-28131"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T20:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.",
"id": "GHSA-3p2w-3263-9gr3",
"modified": "2022-08-16T00:00:23Z",
"published": "2022-08-11T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28131"
},
{
"type": "WEB",
"url": "https://go.dev/cl/417062"
},
{
"type": "WEB",
"url": "https://go.dev/issue/53614"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0521"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221111-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3Q28-WQH2-J2F3
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05An unlimited recursion in DxeCore in EDK II.
{
"affected": [],
"aliases": [
"CVE-2021-28210"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "HIGH"
},
"details": "An unlimited recursion in DxeCore in EDK II.",
"id": "GHSA-3q28-wqh2-j2f3",
"modified": "2022-05-24T19:05:01Z",
"published": "2022-05-24T19:05:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28210"
},
{
"type": "WEB",
"url": "https://bugzilla.tianocore.org/show_bug.cgi?id=1743"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3QGJ-5MVJ-MP44
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30Secure Boot Security Feature Bypass Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-37973"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T17:15:24Z",
"severity": "HIGH"
},
"details": "Secure Boot Security Feature Bypass Vulnerability",
"id": "GHSA-3qgj-5mvj-mp44",
"modified": "2024-07-09T18:30:50Z",
"published": "2024-07-09T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37973"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37973"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3VQ6-G92C-JM9J
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document.
{
"affected": [],
"aliases": [
"CVE-2018-6544"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-02T09:29:00Z",
"severity": "MODERATE"
},
"details": "pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document.",
"id": "GHSA-3vq6-g92c-jm9j",
"modified": "2022-05-13T01:53:07Z",
"published": "2022-05-13T01:53:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6544"
},
{
"type": "WEB",
"url": "https://bugs.ghostscript.com/show_bug.cgi?id=698830"
},
{
"type": "WEB",
"url": "https://bugs.ghostscript.com/show_bug.cgi?id=698965"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-15"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4152"
},
{
"type": "WEB",
"url": "http://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d"
},
{
"type": "WEB",
"url": "http://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WXX-Q3GV-PVVV
Vulnerability from github – Published: 2025-07-07 12:30 – Updated: 2025-07-08 18:10The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "llama-index-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.38"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5472"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-08T18:10:45Z",
"nvd_published_at": "2025-07-07T10:15:28Z",
"severity": "MODERATE"
},
"details": "The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.",
"id": "GHSA-3wxx-q3gv-pvvv",
"modified": "2025-07-08T18:10:45Z",
"published": "2025-07-07T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5472"
},
{
"type": "WEB",
"url": "https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635"
},
{
"type": "PACKAGE",
"url": "https://github.com/run-llama/llama_index"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/df187bda-7911-4823-a19a-e15b2c66b0d4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing"
}
GHSA-3X8R-X6XP-Q4VM
Vulnerability from github – Published: 2022-12-13 17:40 – Updated: 2025-11-04 16:41Summary
Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "loofah"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.19.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23516"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T17:40:50Z",
"nvd_published_at": "2022-12-14T14:15:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nLoofah `\u003e= 2.2.0, \u003c 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to Loofah `\u003e= 2.19.1`.\n\nUsers who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.\n\n\n## Severity\n\nThe Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)",
"id": "GHSA-3x8r-x6xp-q4vm",
"modified": "2025-11-04T16:41:06Z",
"published": "2022-12-13T17:40:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23516"
},
{
"type": "WEB",
"url": "https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040"
},
{
"type": "PACKAGE",
"url": "https://github.com/flavorjones/loofah"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Recursion in Loofah"
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.