Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

615 vulnerabilities reference this CWE, most recent first.

GHSA-G97Q-39HW-52P8

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12
VLAI
Details

An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-24T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.",
  "id": "GHSA-g97q-39hw-52p8",
  "modified": "2022-05-24T17:12:34Z",
  "published": "2022-05-24T17:12:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6071"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202005-10"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-0994"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4671"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GGXV-CF23-46HQ

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T17:15:32Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-ggxv-cf23-46hq",
  "modified": "2025-08-12T18:31:28Z",
  "published": "2025-08-12T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24302"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01326.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-GJW3-X488-W5C3

Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-04 12:30
VLAI
Details

Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads.

This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-47320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T10:16:39Z",
    "severity": "MODERATE"
  },
  "details": "Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads.\n\nThis issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.",
  "id": "GHSA-gjw3-x488-w5c3",
  "modified": "2026-06-04T12:30:25Z",
  "published": "2026-06-04T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Samsung/rlottie/pull/593"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GR6J-4VHJ-C665

Vulnerability from github – Published: 2022-01-15 00:00 – Updated: 2022-01-23 00:00
VLAI
Details

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
  "id": "GHSA-gr6j-4vhj-c665",
  "modified": "2022-01-23T00:00:30Z",
  "published": "2022-01-15T00:00:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
    },
    {
      "type": "WEB",
      "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GRCG-MGX8-MFVF

Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

eventpoll: Fix semi-unbounded recursion

Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links.

Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons:

  • They don't look upwards in the tree.
  • If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths").

Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops.

A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files.

As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").)

To fix it:

  1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited.
  2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk.
  3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T17:15:40Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don\u0027t\nlimit the depth of the resulting tree for two reasons:\n\n - They don\u0027t look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n   the paths is actually considered for the depth check since commit\n   28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.",
  "id": "GHSA-grcg-mgx8-mfvf",
  "modified": "2026-07-14T15:31:27Z",
  "published": "2025-08-19T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38614"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b13b033062824495554e836a1ff5f85ccf6b039"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a0c0c974bea9619c6f41794775ae4b97530e0e6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3542c90797bc3ab83ebab54b737d751cf3682036"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/71379495ab70eaba19224bd71b5b9b399eb85e04"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7a2125962c42d5336ca0495a9ce4cb38a63e9161"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f2e467a48287c868818085aa35389a224d226732"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRPP-MCMX-P7PC

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of \u0027*\u0027 characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
  "id": "GHSA-grpp-mcmx-p7pc",
  "modified": "2022-05-13T01:22:41Z",
  "published": "2022-05-13T01:22:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/westes/flex/issues/414"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRR9-747V-XVCP

Vulnerability from github – Published: 2026-03-19 21:31 – Updated: 2026-07-06 13:06
VLAI
Summary
Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service)
Details

When Scriban renders an object that contains a circular reference, it traverses the object's members infinitely. Because the ObjectRecursionLimit property defaults to unlimited, this behavior exhausts the thread's stack space, triggering an uncatchable StackOverflowException that immediately terminates the hosting process.

When rendering objects (e.g., {{ obj }}), the Scriban rendering engine recursively inspects and formats the object's properties. To prevent infinite loops caused by deeply nested or circular data structures, TemplateContext contains an ObjectRecursionLimit property.

However, this property currently defaults to 0 (unlimited). If the data context pushed into the template contains a circular reference, the renderer will recurse indefinitely. This is especially dangerous for web applications that map user-controlled payloads (like JSON) directly to rendering contexts, or for applications that pass ORM objects (like Entity Framework models, which frequently contain circular navigation properties) into the template.

Proof of Concept (PoC)

The following C# code demonstrates the vulnerability. Executing this will cause an immediate, fatal StackOverflowException, bypassing any standard error handling.

using Scriban;
using Scriban.Runtime;

var template = Template.Parse("{{ a }}");
var context = new TemplateContext();
var a = new ScriptObject();

// Introduce a cycle
a["self"] = a;
context.PushGlobal(new ScriptObject { { "a", a } });

try {
  // This crashes the entire process immediately
  template.Render(context);
} catch (Exception ex) {
  // This will never execute because StackOverflowException
  Console.WriteLine("Caught exception: " + ex.Message);
}

Impact

This vulnerability allows a Denial of Service (DoS) attack. If a malicious user can manipulate the data structure passed to the renderer to include a cyclic reference, or if the application passes a complex object graph to an untrusted template, the entire .NET hosting process will crash.

Suggested Remediation

Update TemplateContext.cs to set ObjectRecursionLimit to a safe default, such as 20.

public int ObjectRecursionLimit { get; set; } = 20;

By implementing this default, circular references will gracefully result in a catchable ScriptRuntimeException rather than a fatal process crash.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.8"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "scriban"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.5.8"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Scriban.Signed"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T21:31:01Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "When Scriban renders an object that contains a circular reference, it traverses the object\u0027s members infinitely. Because the `ObjectRecursionLimit` property defaults to unlimited, this behavior exhausts the thread\u0027s stack space, triggering an uncatchable `StackOverflowException` that immediately terminates the hosting process.\n\nWhen rendering objects (e.g., `{{ obj }}`), the Scriban rendering engine recursively inspects and formats the object\u0027s properties. To prevent infinite loops caused by deeply nested or circular data structures, `TemplateContext` contains an `ObjectRecursionLimit` property. \n\nHowever, this property currently defaults to `0` (unlimited). If the data context pushed into the template contains a circular reference, the renderer will recurse indefinitely. This is especially dangerous for web applications that map user-controlled payloads (like JSON) directly to rendering contexts, or for applications that pass ORM objects (like Entity Framework models, which frequently contain circular navigation properties) into the template.\n\n#### Proof of Concept (PoC)\nThe following C# code demonstrates the vulnerability. Executing this will cause an immediate, fatal `StackOverflowException`, bypassing any standard error handling.\n\n```csharp\nusing Scriban;\nusing Scriban.Runtime;\n\nvar template = Template.Parse(\"{{ a }}\");\nvar context = new TemplateContext();\nvar a = new ScriptObject();\n\n// Introduce a cycle\na[\"self\"] = a;\ncontext.PushGlobal(new ScriptObject { { \"a\", a } });\n\ntry {\n  // This crashes the entire process immediately\n  template.Render(context);\n} catch (Exception ex) {\n  // This will never execute because StackOverflowException\n  Console.WriteLine(\"Caught exception: \" + ex.Message);\n}\n```\n\n#### Impact\nThis vulnerability allows a Denial of Service (DoS) attack. If a malicious user can manipulate the data structure passed to the renderer to include a cyclic reference, or if the application passes a complex object graph to an untrusted template, the entire .NET hosting process will crash.\n\n#### Suggested Remediation\nUpdate `TemplateContext.cs` to set `ObjectRecursionLimit` to a safe default, such as `20`.\n\n```csharp\npublic int ObjectRecursionLimit { get; set; } = 20;\n```\nBy implementing this default, circular references will gracefully result in a catchable `ScriptRuntimeException` rather than a fatal process crash.",
  "id": "GHSA-grr9-747v-xvcp",
  "modified": "2026-07-06T13:06:27Z",
  "published": "2026-03-19T21:31:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scriban/scriban/security/advisories/GHSA-grr9-747v-xvcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scriban/scriban/commit/a6fe6074199e5c04f4d29dc8d8e652b24d33e3e4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scriban/scriban"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service)"
}

GHSA-GVG5-GHCH-6WW2

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40
VLAI
Details

A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36725407.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-06T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36725407.",
  "id": "GHSA-gvg5-ghch-6ww2",
  "modified": "2022-05-13T01:40:29Z",
  "published": "2022-05-13T01:40:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0692"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-07-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99478"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GW7G-QR8W-3448

Vulnerability from github – Published: 2023-11-13 03:30 – Updated: 2024-10-26 18:35
VLAI
Summary
Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack
Details

Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "remarshal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-47163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-14T22:19:05Z",
    "nvd_published_at": "2023-11-13T03:15:09Z",
    "severity": "HIGH"
  },
  "details": "Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.",
  "id": "GHSA-gw7g-qr8w-3448",
  "modified": "2024-10-26T18:35:38Z",
  "published": "2023-11-13T03:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/remarshal-project/remarshal/commit/fd6ac799a02f533c3fc243b49cdd6d21aa7ee494"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/remarshal/PYSEC-2023-236.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/remarshal-project/remarshal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/remarshal-project/remarshal/releases/tag/v0.17.1"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN86156389"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack"
}

GHSA-H2VR-RQQP-XV8M

Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2025-12-16 00:30
VLAI
Details

uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-14T23:15:37Z",
    "severity": "LOW"
  },
  "details": "uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.",
  "id": "GHSA-h2vr-rqqp-xv8m",
  "modified": "2025-12-16T00:30:29Z",
  "published": "2025-12-15T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uriparser/uriparser/issues/282"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uriparser/uriparser/pull/284"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/15/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.