CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-964F-VC2F-CH6J
Vulnerability from github – Published: 2026-02-14 00:32 – Updated: 2026-02-18 15:31A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process's stack space, causing the validator node to crash. This results in a Denial of Service (DoS) for the TON blockchain network.
{
"affected": [],
"aliases": [
"CVE-2025-70955"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-13T22:16:10Z",
"severity": "HIGH"
},
"details": "A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process\u0027s stack space, causing the validator node to crash. This results in a Denial of Service (DoS) for the TON blockchain network.",
"id": "GHSA-964f-vc2f-ch6j",
"modified": "2026-02-18T15:31:24Z",
"published": "2026-02-14T00:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70955"
},
{
"type": "WEB",
"url": "https://github.com/ton-blockchain/ton/commit/b5734d2e30b9c93cfdacb4ea37c9ebdf11ca5d49#diff-17eca9db515992a081522236bf9bad767fac171044f7c00c20bf740f4206b3de"
},
{
"type": "WEB",
"url": "https://gist.github.com/Lucian-code233/25b0a13be569db9160340d9ecd2fdf0d"
},
{
"type": "WEB",
"url": "https://github.com/ton-blockchain/ton/releases/tag/v2024.10#:~:text=krigga%20%28emulator%29%2C-%2CArayz%2C-%40%20TonBit%20%28LS%20security"
},
{
"type": "WEB",
"url": "https://mp.weixin.qq.com/s/wy2ea6udkNZzIsp1K2LEOQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97WG-3GJR-5W5M
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector.
{
"affected": [],
"aliases": [
"CVE-2017-9617"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-14T20:29:00Z",
"severity": "MODERATE"
},
"details": "In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector.",
"id": "GHSA-97wg-3gjr-5w5m",
"modified": "2022-05-13T01:48:02Z",
"published": "2022-05-13T01:48:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9617"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99087"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038706"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-98M9-HRRM-R99R
Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-26 19:27Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth.
A crafted query string such as:
a[x][x][x][x]...[x]=1
causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths.
This has been patched in version 2.14.3 and backported to 1.10.6.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.14.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "faraday"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.14.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.10.5"
},
"package": {
"ecosystem": "RubyGems",
"name": "faraday"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.10.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54297"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T19:35:43Z",
"nvd_published_at": "2026-06-24T17:17:29Z",
"severity": "HIGH"
},
"details": "`Faraday::NestedParamsEncoder`, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth.\n\nA crafted query string such as:\n\n```text\na[x][x][x][x]...[x]=1\n```\n\ncauses Faraday to build a deeply nested Ruby `Hash` structure. The internal `dehash` routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught `SystemStackError` (`stack level too deep`), crashing the calling thread or worker. This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday\u0027s nested query parsing or URL-building paths.\n\nThis has been patched in version 2.14.3 and backported to 1.10.6.",
"id": "GHSA-98m9-hrrm-r99r",
"modified": "2026-06-26T19:27:19Z",
"published": "2026-06-19T19:35:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lostisland/faraday/security/advisories/GHSA-98m9-hrrm-r99r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54297"
},
{
"type": "WEB",
"url": "https://github.com/lostisland/faraday/pull/1681"
},
{
"type": "PACKAGE",
"url": "https://github.com/lostisland/faraday"
},
{
"type": "WEB",
"url": "https://github.com/lostisland/faraday/releases/tag/v1.10.6"
},
{
"type": "WEB",
"url": "https://github.com/lostisland/faraday/releases/tag/v2.14.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters"
}
GHSA-9FJP-Q3C4-6W3J
Vulnerability from github – Published: 2026-03-20 20:56 – Updated: 2026-03-30 13:51Impact
An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.
Patches
The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.
Workarounds
None.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.44"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.55"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33498"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:56:22Z",
"nvd_published_at": "2026-03-24T19:16:54Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944.\n\n### Patches\n\nThe query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire.\n\n### Workarounds\n\nNone.",
"id": "GHSA-9fjp-q3c4-6w3j",
"modified": "2026-03-30T13:51:36Z",
"published": "2026-03-20T20:56:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9fjp-q3c4-6w3j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33498"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10257"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10258"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/2581b5426047ce9cbcd3d9c0e8379e9c30e23ab5"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/85994eff9e7b34cac7e1a2f5791985022a1461d1"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server has a query condition depth bypass via pre-validation transform pipeline"
}
GHSA-9HCV-XW76-M4H6
Vulnerability from github – Published: 2025-03-14 09:34 – Updated: 2026-03-20 03:31A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
{
"affected": [],
"aliases": [
"CVE-2024-8176"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-14T09:15:14Z",
"severity": "HIGH"
},
"details": "A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.",
"id": "GHSA-9hcv-xw76-m4h6",
"modified": "2026-03-20T03:31:02Z",
"published": "2025-03-14T09:34:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8176"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/issues/893"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/pull/973"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/760160"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2024-8176"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250328-0009"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2024-8176"
},
{
"type": "WEB",
"url": "https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53"
},
{
"type": "WEB",
"url": "https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1239618"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310137"
},
{
"type": "WEB",
"url": "https://blog.hartwork.org/posts/expat-2-7-0-released"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-8176"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8385"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7512"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7444"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4449"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4448"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4447"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4446"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4048"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:3913"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:3734"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:3531"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22871"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22785"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22607"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22035"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22034"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22033"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:13681"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/6"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/7"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/May/8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/03/15/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/24/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9PGC-3CCV-5297
Vulnerability from github – Published: 2026-05-29 20:09 – Updated: 2026-05-29 20:09Impact
DNSIncoming._decode_labels_at_offset recurses once per DNS-name compression pointer (RFC 1035 §4.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython's default limit, and RecursionError was not listed in DECODE_EXCEPTIONS, so it escaped DNSIncoming.__init__ and was logged by asyncio's default exception handler.
Any unauthenticated host on the local link (UDP/5353, 224.0.0.251 / ff02::fb) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.
Patches
Fixed in zeroconf 0.149.5 (PR #1719).
Upgrade to >= 0.149.5.
Workarounds
There is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.
Resources
- PR #1719, fix
- Issue #1713, public tracking issue
- RFC 1035 §4.1.4, RFC 6762, CWE-674
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zeroconf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.149.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47180"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T20:09:52Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`DNSIncoming._decode_labels_at_offset` recurses once per DNS-name compression pointer (RFC 1035 \u00a74.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers drives the recursion past CPython\u0027s default limit, and `RecursionError` was not listed in `DECODE_EXCEPTIONS`, so it escaped `DNSIncoming.__init__` and was logged by asyncio\u0027s default exception handler.\n\nAny unauthenticated host on the local link (UDP/5353, `224.0.0.251` / `ff02::fb`) can degrade the mDNS listener; that includes a guest on the same Wi-Fi, a compromised IoT device, or a container on a shared bridge. Replaying at a few hertz produces sustained CPU burn and log flooding, and mDNS-dependent features (HomeKit, Chromecast/Matter, AirPlay, printers) degrade while the attack is in flight.\n\n### Patches\nFixed in `zeroconf` 0.149.5 ([PR #1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719)).\nUpgrade to `\u003e= 0.149.5`.\n\n### Workarounds\nThere is no in-process workaround; upgrading is the fix. Otherwise, restrict mDNS (UDP/5353) to trusted Layer-2 segments via AP client isolation, guest-network separation, or host firewall rules.\n\n### Resources\n- [PR #1719](https://github.com/python-zeroconf/python-zeroconf/pull/1719), fix\n- [Issue #1713](https://github.com/python-zeroconf/python-zeroconf/issues/1713), public tracking issue\n- [RFC 1035 \u00a74.1.4](https://www.rfc-editor.org/rfc/rfc1035#section-4.1.4), [RFC 6762](https://www.rfc-editor.org/rfc/rfc6762), [CWE-674](https://cwe.mitre.org/data/definitions/674.html)",
"id": "GHSA-9pgc-3ccv-5297",
"modified": "2026-05-29T20:09:52Z",
"published": "2026-05-29T20:09:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/security/advisories/GHSA-9pgc-3ccv-5297"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/issues/1713"
},
{
"type": "WEB",
"url": "https://github.com/python-zeroconf/python-zeroconf/pull/1719"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-zeroconf/python-zeroconf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service"
}
GHSA-9XP9-J92R-P88V
Vulnerability from github – Published: 2026-03-17 17:35 – Updated: 2026-03-19 21:11Impact
An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients.
Patches
A depth limit for query condition operator nesting has been added via the requestComplexity.queryDepth server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app.
Workarounds
None.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.45"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32944"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T17:35:52Z",
"nvd_published_at": "2026-03-18T22:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients.\n\n### Patches\n\nA depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app.\n\n### Workarounds\n\nNone.",
"id": "GHSA-9xp9-j92r-p88v",
"modified": "2026-03-19T21:11:56Z",
"published": "2026-03-17T17:35:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9xp9-j92r-p88v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32944"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10202"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10203"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server crash via deeply nested query condition operators"
}
GHSA-C2P3-7M5P-CV8X
Vulnerability from github – Published: 2026-05-27 21:33 – Updated: 2026-05-27 21:33Description
Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.
Resolution
The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45133"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-674",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:33:07Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`Symfony\\Component\\Yaml\\Parser` is the entry point for parsing YAML strings into PHP values via `Yaml::parse()`. When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (`Parser::parseBlock()`) and inline (`Inline::parseSequence()` / `Inline::parseMapping()`) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.\n\n### Resolution\n\nThe `Parser` now tracks recursion depth in a shared `ParserState` object across both block-level and inline parsing, with a default limit of **128**. The limit is configurable via a new `$maxNestingLevel` argument on `Parser::__construct()`, `Yaml::parse()` and `Yaml::parseFile()`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.",
"id": "GHSA-c2p3-7m5p-cv8x",
"modified": "2026-05-27T21:33:07Z",
"published": "2026-05-27T21:33:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-c2p3-7m5p-cv8x"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45133.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45133.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45133"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony hardened the parser when handling untrusted input"
}
GHSA-C2V6-69QQ-J8H4
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression.
{
"affected": [],
"aliases": [
"CVE-2017-9729"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-16T15:29:00Z",
"severity": "HIGH"
},
"details": "In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression.",
"id": "GHSA-c2v6-69qq-j8h4",
"modified": "2022-05-13T01:48:06Z",
"published": "2022-05-13T01:48:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9729"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2017/06/16/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C38H-R4WC-M6RM
Vulnerability from github – Published: 2024-04-03 00:30 – Updated: 2024-04-03 00:30In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow.
{
"affected": [],
"aliases": [
"CVE-2024-3247"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T23:15:55Z",
"severity": "LOW"
},
"details": "In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow.\n",
"id": "GHSA-c38h-r4wc-m6rm",
"modified": "2024-04-03T00:30:56Z",
"published": "2024-04-03T00:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3247"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?t=43597"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.