Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-3HW2-H67C-WQ66

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2025-09-30 17:57
VLAI
Summary
Uncontrolled Recursion in Akka HTTP
Details

Akka HTTP 10.1.x and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.1.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.13.0-RC3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.1.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.13.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.1.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.13.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 10.1.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:aakka-http-core_2.13.0-M3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            },
            {
              "fixed": "10.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.2.0-M1"
            },
            {
              "fixed": "10.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            },
            {
              "fixed": "10.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.2.0-M1"
            },
            {
              "fixed": "10.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-http-core_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0"
            },
            {
              "fixed": "10.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-42697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-21T20:08:40Z",
    "nvd_published_at": "2021-11-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Akka HTTP 10.1.x and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.",
  "id": "GHSA-3hw2-h67c-wq66",
  "modified": "2025-09-30T17:57:30Z",
  "published": "2022-05-24T19:19:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akka/akka-http/pull/3924"
    },
    {
      "type": "WEB",
      "url": "https://akka.io/blog"
    },
    {
      "type": "WEB",
      "url": "https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released"
    },
    {
      "type": "WEB",
      "url": "https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released"
    },
    {
      "type": "WEB",
      "url": "https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/akka/akka-http"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Recursion in Akka HTTP"
}

GHSA-3JCC-VP6F-3WJ7

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08
VLAI
Details

The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-03T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "The BGP parser in tcpdump before 4.9.3 allows stack consumption in print-bgp.c:bgp_attr_print() because of unlimited recursion.",
  "id": "GHSA-3jcc-vp6f-3wj7",
  "modified": "2024-04-04T02:08:17Z",
  "published": "2022-05-24T16:57:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/tcpdump/commit/af2cf04a9394c1a56227c2289ae8da262828294a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Dec/23"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Oct/28"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200120-0001"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT210788"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4252-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4252-2"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4547"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Dec/26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3JPJ-5QJM-M8R4

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23
VLAI
Details

Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-26T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Mikrotik RouterOS before 6.44.5 (long-term release tree) is vulnerable to stack exhaustion. By sending a crafted HTTP request, an authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. Malicious code cannot be injected.",
  "id": "GHSA-3jpj-5qjm-m8r4",
  "modified": "2024-04-04T01:23:22Z",
  "published": "2022-05-24T16:51:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13955"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2019/Jul/20"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/153733/Mikrotik-RouterOS-Resource-Stack-Exhaustion.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M27-46P7-W7MH

Vulnerability from github – Published: 2025-03-27 18:31 – Updated: 2025-10-29 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener

A listening socket linked to a sockmap has its sk_prot overridden. It points to one of the struct proto variants in tcp_bpf_prots. The variant depends on the socket's family and which sockmap programs are attached.

A child socket cloned from a TCP listener initially inherits their sk_prot. But before cloning is finished, we restore the child's proto to the listener's original non-tcp_bpf_prots one. This happens in tcp_create_openreq_child -> tcp_bpf_clone.

Today, in tcp_bpf_clone we detect if the child's proto should be restored by checking only for the TCP_BPF_BASE proto variant. This is not correct. The sk_prot of listening socket linked to a sockmap can point to to any variant in tcp_bpf_prots.

If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then the child socket unintentionally is left if the inherited sk_prot by tcp_bpf_clone.

This leads to issues like infinite recursion on close 1, because the child state is otherwise not set up for use with tcp_bpf_prot operations.

Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.

Note that it wouldn't be sufficient to check the socket state when overriding the sk_prot in tcp_bpf_update_proto in order to always use the TCP_BPF_BASE variant for listening sockets. Since commit b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage") it is possible for a socket to transition to TCP_LISTEN state while already linked to a sockmap, e.g. connect() -> insert into map -> connect(AF_UNSPEC) -> listen().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T17:15:45Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener\n\nA listening socket linked to a sockmap has its sk_prot overridden. It\npoints to one of the struct proto variants in tcp_bpf_prots. The variant\ndepends on the socket\u0027s family and which sockmap programs are attached.\n\nA child socket cloned from a TCP listener initially inherits their sk_prot.\nBut before cloning is finished, we restore the child\u0027s proto to the\nlistener\u0027s original non-tcp_bpf_prots one. This happens in\ntcp_create_openreq_child -\u003e tcp_bpf_clone.\n\nToday, in tcp_bpf_clone we detect if the child\u0027s proto should be restored\nby checking only for the TCP_BPF_BASE proto variant. This is not\ncorrect. The sk_prot of listening socket linked to a sockmap can point to\nto any variant in tcp_bpf_prots.\n\nIf the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then\nthe child socket unintentionally is left if the inherited sk_prot by\ntcp_bpf_clone.\n\nThis leads to issues like infinite recursion on close [1], because the\nchild state is otherwise not set up for use with tcp_bpf_prot operations.\n\nAdjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.\n\nNote that it wouldn\u0027t be sufficient to check the socket state when\noverriding the sk_prot in tcp_bpf_update_proto in order to always use the\nTCP_BPF_BASE variant for listening sockets. Since commit\nb8b8315e39ff (\"bpf, sockmap: Remove unhash handler for BPF sockmap usage\")\nit is possible for a socket to transition to TCP_LISTEN state while already\nlinked to a sockmap, e.g. connect() -\u003e insert into map -\u003e\nconnect(AF_UNSPEC) -\u003e listen().\n\n[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/",
  "id": "GHSA-3m27-46p7-w7mh",
  "modified": "2025-10-29T18:30:29Z",
  "published": "2025-03-27T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52986"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12b0ec7c6953e1602957926439e5297095d7d065"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9bd6074e1872d22190a8da30e796cbf937d334f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c681d7a4ed3d360de0574f4d6b7305a8de8dc54f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddce1e091757d0259107c6c0c7262df201de2b66"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3P2W-3263-9GR3

Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-16 00:00
VLAI
Details

Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.",
  "id": "GHSA-3p2w-3263-9gr3",
  "modified": "2022-08-16T00:00:23Z",
  "published": "2022-08-11T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28131"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/417062"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/53614"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/go/+/08c46ed43d80bbb67cb904944ea3417989be4af3"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0521"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221111-0009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q28-WQH2-J2F3

Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05
VLAI
Details

An unlimited recursion in DxeCore in EDK II.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-11T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An unlimited recursion in DxeCore in EDK II.",
  "id": "GHSA-3q28-wqh2-j2f3",
  "modified": "2022-05-24T19:05:01Z",
  "published": "2022-05-24T19:05:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28210"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=1743"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3QGJ-5MVJ-MP44

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

Secure Boot Security Feature Bypass Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T17:15:24Z",
    "severity": "HIGH"
  },
  "details": "Secure Boot Security Feature Bypass Vulnerability",
  "id": "GHSA-3qgj-5mvj-mp44",
  "modified": "2024-07-09T18:30:50Z",
  "published": "2024-07-09T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37973"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3VQ6-G92C-JM9J

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-02T09:29:00Z",
    "severity": "MODERATE"
  },
  "details": "pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could reference the object stream recursively and therefore run out of error stack, which allows remote attackers to cause a denial of service via a crafted PDF document.",
  "id": "GHSA-3vq6-g92c-jm9j",
  "modified": "2022-05-13T01:53:07Z",
  "published": "2022-05-13T01:53:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6544"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698830"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=698965"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201811-15"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4152"
    },
    {
      "type": "WEB",
      "url": "http://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d"
    },
    {
      "type": "WEB",
      "url": "http://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3WXX-Q3GV-PVVV

Vulnerability from github – Published: 2025-07-07 12:30 – Updated: 2025-07-08 18:10
VLAI
Summary
LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing
Details

The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.38"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T18:10:45Z",
    "nvd_published_at": "2025-07-07T10:15:28Z",
    "severity": "MODERATE"
  },
  "details": "The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38.",
  "id": "GHSA-3wxx-q3gv-pvvv",
  "modified": "2025-07-08T18:10:45Z",
  "published": "2025-07-07T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/c032843a02ce38fd8f284b2aa5a37fd1c17ae635"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/df187bda-7911-4823-a19a-e15b2c66b0d4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing"
}

GHSA-3X8R-X6XP-Q4VM

Vulnerability from github – Published: 2022-12-13 17:40 – Updated: 2025-11-04 16:41
VLAI
Summary
Uncontrolled Recursion in Loofah
Details

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "loofah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.19.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T17:40:50Z",
    "nvd_published_at": "2022-12-14T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nLoofah `\u003e= 2.2.0, \u003c 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception.  This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to Loofah `\u003e= 2.19.1`.\n\nUsers who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.\n\n\n## Severity\n\nThe Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)",
  "id": "GHSA-3x8r-x6xp-q4vm",
  "modified": "2025-11-04T16:41:06Z",
  "published": "2022-12-13T17:40:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23516"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flavorjones/loofah"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23516.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Recursion in Loofah"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.