CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
615 vulnerabilities reference this CWE, most recent first.
GHSA-G47V-RWMH-R9F8
Vulnerability from github – Published: 2026-05-08 23:12 – Updated: 2026-06-08 23:30Summary
EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker.
Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.
Details
The vulnerable function is EmlParser.get_raw_body_text() in eml_parser/parser.py. For every part of type multipart/*, the function iterates over its sub-parts; for every sub-part of type message/rfc822, it calls itself recursively on the inner message:
There is no depth parameter and no early-abort. CPython's default sys.recursionlimit is 1000. Each level of message/rfc822 nesting adds approximately 8 frames to the stack (parser code + stdlib _header_value_parser calls), so roughly 120 nested levels exhaust the limit.
The RecursionError is not caught anywhere along the call chain, so it propagates out of decode_email_bytes() and aborts processing of the entire message.
PoC
Environment: Python 3.12.3, eml_parser 3.0.0 (pip install eml_parser==3.0.0), default sys.recursionlimit=1000, Ubuntu 24.04 aarch64. No special configuration of EmlParser, default constructor.
Self-contained reproducer that builds the PoC and triggers the crash:
import eml_parser
def build_poc(depth=124):
inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n"
msg = inner
for i in range(depth):
b = f"B{i}".encode()
msg = (
b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n'
b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n'
) + msg + b'\r\n--' + b + b'--\r\n'
return msg
ep = eml_parser.EmlParser()
ep.decode_email_bytes(build_poc())
# RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64).
Note that the suggested code does not produce an RFC compliant message.
Resulting EML payload size: 12,369 bytes.
SHA-256 of generated PoC: 00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8
The crash is deterministic on a stock install. No network, no special headers, no large attachments.
Impact
Denial of service of any pipeline that processes attacker-supplied EML files using eml_parser.
A single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad try/except. Even then, attacker-supplied volume can keep workers in a perpetual restart loop.
The vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation. Considering that email messages pass through a mail-server which does some kind of validation, messages as produced by the build_poc function would not reach eml_parser. Nonetheless recursion depth checks have been implemented to handle the described issue.
Reporter
Sebastián Alba Vives (@Sebasteuo)
Independent security researcher, Senior AppSec Consultant
LinkedIn: https://www.linkedin.com/in/sebastian-alba
Email: sebasjosue84@gmail.com
PGP: 0D1A E4C2 CFC8 894F 19EA DA24 45CD CA33 2CF8 31F4
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0"
},
"package": {
"ecosystem": "PyPI",
"name": "eml_parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44844"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T23:12:51Z",
"nvd_published_at": "2026-05-26T21:16:39Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsing of the message. A 12 KB EML file is enough to crash a worker.\nThough this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.\n\n### Details\n\nThe vulnerable function is `EmlParser.get_raw_body_text()` in `eml_parser/parser.py`. For every part of type `multipart/*`, the function iterates over its sub-parts; for every sub-part of type `message/rfc822`, it calls itself recursively on the inner message:\n\nThere is no depth parameter and no early-abort. CPython\u0027s default `sys.recursionlimit` is 1000. Each level of `message/rfc822` nesting adds approximately 8 frames to the stack (parser code + stdlib `_header_value_parser` calls), so roughly 120 nested levels exhaust the limit.\n\nThe `RecursionError` is not caught anywhere along the call chain, so it propagates out of `decode_email_bytes()` and aborts processing of the entire message.\n\n\n### PoC\n\nEnvironment: Python 3.12.3, eml_parser 3.0.0 (`pip install eml_parser==3.0.0`), default `sys.recursionlimit=1000`, Ubuntu 24.04 aarch64. No special configuration of `EmlParser`, default constructor.\n\nSelf-contained reproducer that builds the PoC and triggers the crash:\n\n```python\nimport eml_parser\n\ndef build_poc(depth=124):\n inner = b\"From: a@a\\r\\nTo: b@b\\r\\nContent-Type: text/plain\\r\\n\\r\\n.\\r\\n\"\n msg = inner\n for i in range(depth):\n b = f\"B{i}\".encode()\n msg = (\n b\u0027Content-Type: multipart/mixed; boundary=\"\u0027 + b + b\u0027\"\\r\\n\\r\\n\u0027\n b\u0027--\u0027 + b + b\u0027\\r\\nContent-Type: message/rfc822\\r\\n\\r\\n\u0027\n ) + msg + b\u0027\\r\\n--\u0027 + b + b\u0027--\\r\\n\u0027\n return msg\n\nep = eml_parser.EmlParser()\nep.decode_email_bytes(build_poc())\n# RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64).\n```\n\nNote that the suggested code does not produce an RFC compliant message.\nResulting EML payload size: 12,369 bytes.\nSHA-256 of generated PoC: `00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8`\n\nThe crash is deterministic on a stock install. No network, no special headers, no large attachments.\n\n### Impact\n\nDenial of service of any pipeline that processes attacker-supplied EML files using `eml_parser`.\n\nA single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad `try/except`. Even then, attacker-supplied volume can keep workers in a perpetual restart loop.\n\nThe vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation.\nConsidering that email messages pass through a mail-server which does some kind of validation, messages as produced by the *build_poc* function would not reach eml_parser.\nNonetheless recursion depth checks have been implemented to handle the described issue.\n\n\n### Reporter\n\nSebasti\u00e1n Alba Vives (`@Sebasteuo`)\nIndependent security researcher, Senior AppSec Consultant\nLinkedIn: https://www.linkedin.com/in/sebastian-alba\nEmail: sebasjosue84@gmail.com\nPGP: `0D1A E4C2 CFC8 894F 19EA DA24 45CD CA33 2CF8 31F4`",
"id": "GHSA-g47v-rwmh-r9f8",
"modified": "2026-06-08T23:30:15Z",
"published": "2026-05-08T23:12:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44844"
},
{
"type": "PACKAGE",
"url": "https://github.com/GOVCERT-LU/eml_parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "eml_parser has recursion DoS via nested message/rfc822 attachments"
}
GHSA-G5GV-J2X8-CXR2
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.
{
"affected": [],
"aliases": [
"CVE-2020-10995"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-19T17:15:00Z",
"severity": "MODERATE"
},
"details": "PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.",
"id": "GHSA-g5gv-j2x8-cxr2",
"modified": "2022-05-24T17:18:06Z",
"published": "2022-05-24T17:18:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10995"
},
{
"type": "WEB",
"url": "https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMP72NJGKBWR5WEBXAWX5KSLQUDFTG6S"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PS4ZN5XGENYNFKX7QIIOUCQQHXE37GJF"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4691"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00052.html"
},
{
"type": "WEB",
"url": "http://www.nxnsattack.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G5MF-WQQ5-VWG6
Vulnerability from github – Published: 2026-05-18 20:33 – Updated: 2026-06-11 14:04Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45664"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-407",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:33:59Z",
"nvd_published_at": "2026-06-10T22:16:58Z",
"severity": "MODERATE"
},
"details": "Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use.",
"id": "GHSA-g5mf-wqq5-vwg6",
"modified": "2026-06-11T14:04:48Z",
"published": "2026-05-18T20:33:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45664"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick: Policy Bypass in MNG coder could "
}
GHSA-G65W-25M5-5GCG
Vulnerability from github – Published: 2023-08-24 09:30 – Updated: 2025-11-04 00:30CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2023-4512"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-24T07:15:12Z",
"severity": "HIGH"
},
"details": "CBOR dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-g65w-25m5-5gcg",
"modified": "2025-11-04T00:30:39Z",
"published": "2023-08-24T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4512"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/19144"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HCUPLDY7HLPO46PHMGIJSUBJFTT237C"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L4AVRUYSHDNEAJILVSGY5W6MPOMG2YRF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRKHFQPWFU7F3OXTL6IEIQSJG6FVXZTZ"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2023-23.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G6WF-CH53-MGQF
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2024-04-04 02:42alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
{
"affected": [],
"aliases": [
"CVE-2019-19645"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-09T16:15:00Z",
"severity": "MODERATE"
},
"details": "alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.",
"id": "GHSA-g6wf-ch53-mgqf",
"modified": "2024-04-04T02:42:23Z",
"published": "2022-05-24T17:02:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19645"
},
{
"type": "WEB",
"url": "https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20191223-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4394-1"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2021-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G766-4VG6-3Q5Q
Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32In the Linux kernel, the following vulnerability has been resolved:
LoongArch: KVM: Fix stack protector issue in send_ipi_data()
Function kvm_io_bus_read() is called in function send_ipi_data(), buffer size of parameter val should be at least 8 bytes. Since some emulation functions like loongarch_ipi_readl() and kvm_eiointc_read() will write the buffer val with 8 bytes signed extension regardless parameter len.
Otherwise there will be buffer overflow issue when CONFIG_STACKPROTECTOR is enabled. The bug report is shown as follows:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: send_ipi_data+0x194/0x1a0 [kvm] CPU: 11 UID: 107 PID: 2692 Comm: CPU 0/KVM Not tainted 6.17.0-rc1+ #102 PREEMPT(full) Stack : 9000000005901568 0000000000000000 9000000003af371c 900000013c68c000 900000013c68f850 900000013c68f858 0000000000000000 900000013c68f998 900000013c68f990 900000013c68f990 900000013c68f6c0 fffffffffffdb058 fffffffffffdb0e0 900000013c68f858 911e1d4d39cf0ec2 9000000105657a00 0000000000000001 fffffffffffffffe 0000000000000578 282049464555206e 6f73676e6f6f4c20 0000000000000001 00000000086b4000 0000000000000000 0000000000000000 0000000000000000 9000000005709968 90000000058f9000 900000013c68fa68 900000013c68fab4 90000000029279f0 900000010153f940 900000010001f360 0000000000000000 9000000003af3734 000000004390000c 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d ... Call Trace: [<9000000003af3734>] show_stack+0x5c/0x180 [<9000000003aed168>] dump_stack_lvl+0x6c/0x9c [<9000000003ad0ab0>] vpanic+0x108/0x2c4 [<9000000003ad0ca8>] panic+0x3c/0x40 [<9000000004eb0a1c>] __stack_chk_fail+0x14/0x18 [] send_ipi_data+0x190/0x1a0 [kvm] [] __kvm_io_bus_write+0xa4/0xe8 [kvm] [] kvm_io_bus_write+0x54/0x90 [kvm] [] kvm_emu_iocsr+0x180/0x310 [kvm] [] kvm_handle_gspr+0x280/0x478 [kvm] [] kvm_handle_exit+0xc0/0x130 [kvm]
{
"affected": [],
"aliases": [
"CVE-2025-39704"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T18:15:47Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix stack protector issue in send_ipi_data()\n\nFunction kvm_io_bus_read() is called in function send_ipi_data(), buffer\nsize of parameter *val should be at least 8 bytes. Since some emulation\nfunctions like loongarch_ipi_readl() and kvm_eiointc_read() will write\nthe buffer *val with 8 bytes signed extension regardless parameter len.\n\nOtherwise there will be buffer overflow issue when CONFIG_STACKPROTECTOR\nis enabled. The bug report is shown as follows:\n\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: send_ipi_data+0x194/0x1a0 [kvm]\nCPU: 11 UID: 107 PID: 2692 Comm: CPU 0/KVM Not tainted 6.17.0-rc1+ #102 PREEMPT(full)\nStack : 9000000005901568 0000000000000000 9000000003af371c 900000013c68c000\n 900000013c68f850 900000013c68f858 0000000000000000 900000013c68f998\n 900000013c68f990 900000013c68f990 900000013c68f6c0 fffffffffffdb058\n fffffffffffdb0e0 900000013c68f858 911e1d4d39cf0ec2 9000000105657a00\n 0000000000000001 fffffffffffffffe 0000000000000578 282049464555206e\n 6f73676e6f6f4c20 0000000000000001 00000000086b4000 0000000000000000\n 0000000000000000 0000000000000000 9000000005709968 90000000058f9000\n 900000013c68fa68 900000013c68fab4 90000000029279f0 900000010153f940\n 900000010001f360 0000000000000000 9000000003af3734 000000004390000c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d\n ...\nCall Trace:\n[\u003c9000000003af3734\u003e] show_stack+0x5c/0x180\n[\u003c9000000003aed168\u003e] dump_stack_lvl+0x6c/0x9c\n[\u003c9000000003ad0ab0\u003e] vpanic+0x108/0x2c4\n[\u003c9000000003ad0ca8\u003e] panic+0x3c/0x40\n[\u003c9000000004eb0a1c\u003e] __stack_chk_fail+0x14/0x18\n[\u003cffff8000023473f8\u003e] send_ipi_data+0x190/0x1a0 [kvm]\n[\u003cffff8000023313e4\u003e] __kvm_io_bus_write+0xa4/0xe8 [kvm]\n[\u003cffff80000233147c\u003e] kvm_io_bus_write+0x54/0x90 [kvm]\n[\u003cffff80000233f9f8\u003e] kvm_emu_iocsr+0x180/0x310 [kvm]\n[\u003cffff80000233fe08\u003e] kvm_handle_gspr+0x280/0x478 [kvm]\n[\u003cffff8000023443e8\u003e] kvm_handle_exit+0xc0/0x130 [kvm]",
"id": "GHSA-g766-4vg6-3q5q",
"modified": "2025-11-25T21:32:04Z",
"published": "2025-09-05T18:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39704"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5c68549c81bcca70fc464e305ffeefd9af968287"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b5b49d341f90eed6de794b6ff34ad3dd66d34343"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G77X-44XX-532M
Vulnerability from github – Published: 2024-10-14 19:45 – Updated: 2024-11-08 18:55Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
- The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
- The Next.js application is hosted on Vercel.
Patches
This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.
Workarounds
Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.
Credits
Brandon Dahler (brandondahler), AWS Dimitrios Vlastaras
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "14.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47831"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-14T19:45:21Z",
"nvd_published_at": "2024-10-14T18:15:05Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.\n\n**Not affected:**\n- The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value.\n- The Next.js application is hosted on Vercel. \n\n### Patches\nThis issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version.\n\n### Workarounds\nEnsure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.\n\n#### Credits\nBrandon Dahler (brandondahler), AWS\nDimitrios Vlastaras",
"id": "GHSA-g77x-44xx-532m",
"modified": "2024-11-08T18:55:47Z",
"published": "2024-10-14T19:45:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47831"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Denial of Service condition in Next.js image optimization"
}
GHSA-G78P-3V3V-H7WM
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.
{
"affected": [],
"aliases": [
"CVE-2021-43519"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-09T13:15:00Z",
"severity": "MODERATE"
},
"details": "Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file.",
"id": "GHSA-g78p-3v3v-h7wm",
"modified": "2022-05-24T19:20:09Z",
"published": "2022-05-24T19:20:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43519"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7XHFYHGSZKL53VCLSJSAJ6VMFGAIXKO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3EMGAQ5Y6GXJLY4K5DUOOEQT4MZ4J4F"
},
{
"type": "WEB",
"url": "http://lua-users.org/lists/lua-l/2021-10/msg00123.html"
},
{
"type": "WEB",
"url": "http://lua-users.org/lists/lua-l/2021-11/msg00015.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8CR-HG2H-9WFR
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.
{
"affected": [],
"aliases": [
"CVE-2018-9996"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-10T22:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. Stack Exhaustion occurs in the C++ demangling functions provided by libiberty, and there are recursive stack frames: demangle_template_value_parm, demangle_integral_value, and demangle_expression.",
"id": "GHSA-g8cr-hg2h-9wfr",
"modified": "2022-05-13T01:53:58Z",
"published": "2022-05-13T01:53:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9996"
},
{
"type": "WEB",
"url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85304"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103733"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G97P-564P-26XP
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 allows remote attackers to cause a denial of service (DOS) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2020-18898"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "A stack exhaustion issue in the printIFDStructure function of Exiv2 0.27 allows remote attackers to cause a denial of service (DOS) via a crafted file.",
"id": "GHSA-g97p-564p-26xp",
"modified": "2022-05-24T19:11:50Z",
"published": "2022-05-24T19:11:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18898"
},
{
"type": "WEB",
"url": "https://github.com/Exiv2/exiv2/issues/741"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/674.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.