CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
615 vulnerabilities reference this CWE, most recent first.
GHSA-G97Q-39HW-52P8
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-05-24 17:12An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-6071"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-24T21:15:00Z",
"severity": "MODERATE"
},
"details": "An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression pointer is followed without checking for recursion, leading to a denial of service. An attacker can send an mDNS message to trigger this vulnerability.",
"id": "GHSA-g97q-39hw-52p8",
"modified": "2022-05-24T17:12:34Z",
"published": "2022-05-24T17:12:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6071"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202005-10"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-0994"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GGXV-CF23-46HQ
Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2025-24302"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T17:15:32Z",
"severity": "MODERATE"
},
"details": "Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-ggxv-cf23-46hq",
"modified": "2025-08-12T18:31:28Z",
"published": "2025-08-12T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24302"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01326.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GJW3-X488-W5C3
Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-04 12:30Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads.
This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.
{
"affected": [],
"aliases": [
"CVE-2026-47320"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T10:16:39Z",
"severity": "MODERATE"
},
"details": "Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads.\n\nThis issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.",
"id": "GHSA-gjw3-x488-w5c3",
"modified": "2026-06-04T12:30:25Z",
"published": "2026-06-04T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47320"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/rlottie/pull/593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GR6J-4VHJ-C665
Vulnerability from github – Published: 2022-01-15 00:00 – Updated: 2022-01-23 00:00GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.
{
"affected": [],
"aliases": [
"CVE-2021-46195"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-14T20:15:00Z",
"severity": "MODERATE"
},
"details": "GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.",
"id": "GHSA-gr6j-4vhj-c665",
"modified": "2022-01-23T00:00:30Z",
"published": "2022-01-15T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46195"
},
{
"type": "WEB",
"url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103841"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GRCG-MGX8-MFVF
Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
eventpoll: Fix semi-unbounded recursion
Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links.
Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons:
- They don't look upwards in the tree.
- If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths").
Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops.
A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files.
As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").)
To fix it:
- In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited.
- Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk.
- In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges.
{
"affected": [],
"aliases": [
"CVE-2025-38614"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T17:15:40Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don\u0027t\nlimit the depth of the resulting tree for two reasons:\n\n - They don\u0027t look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n the paths is actually considered for the depth check since commit\n 28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges.",
"id": "GHSA-grcg-mgx8-mfvf",
"modified": "2026-07-14T15:31:27Z",
"published": "2025-08-19T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38614"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1b13b033062824495554e836a1ff5f85ccf6b039"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a0c0c974bea9619c6f41794775ae4b97530e0e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3542c90797bc3ab83ebab54b737d751cf3682036"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71379495ab70eaba19224bd71b5b9b399eb85e04"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a2125962c42d5336ca0495a9ce4cb38a63e9161"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f2e467a48287c868818085aa35389a224d226732"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GRPP-MCMX-P7PC
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2019-6293"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T00:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of \u0027*\u0027 characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
"id": "GHSA-grpp-mcmx-p7pc",
"modified": "2022-05-13T01:22:41Z",
"published": "2022-05-13T01:22:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293"
},
{
"type": "WEB",
"url": "https://github.com/westes/flex/issues/414"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GRR9-747V-XVCP
Vulnerability from github – Published: 2026-03-19 21:31 – Updated: 2026-07-06 13:06When Scriban renders an object that contains a circular reference, it traverses the object's members infinitely. Because the ObjectRecursionLimit property defaults to unlimited, this behavior exhausts the thread's stack space, triggering an uncatchable StackOverflowException that immediately terminates the hosting process.
When rendering objects (e.g., {{ obj }}), the Scriban rendering engine recursively inspects and formats the object's properties. To prevent infinite loops caused by deeply nested or circular data structures, TemplateContext contains an ObjectRecursionLimit property.
However, this property currently defaults to 0 (unlimited). If the data context pushed into the template contains a circular reference, the renderer will recurse indefinitely. This is especially dangerous for web applications that map user-controlled payloads (like JSON) directly to rendering contexts, or for applications that pass ORM objects (like Entity Framework models, which frequently contain circular navigation properties) into the template.
Proof of Concept (PoC)
The following C# code demonstrates the vulnerability. Executing this will cause an immediate, fatal StackOverflowException, bypassing any standard error handling.
using Scriban;
using Scriban.Runtime;
var template = Template.Parse("{{ a }}");
var context = new TemplateContext();
var a = new ScriptObject();
// Introduce a cycle
a["self"] = a;
context.PushGlobal(new ScriptObject { { "a", a } });
try {
// This crashes the entire process immediately
template.Render(context);
} catch (Exception ex) {
// This will never execute because StackOverflowException
Console.WriteLine("Caught exception: " + ex.Message);
}
Impact
This vulnerability allows a Denial of Service (DoS) attack. If a malicious user can manipulate the data structure passed to the renderer to include a cyclic reference, or if the application passes a complex object graph to an untrusted template, the entire .NET hosting process will crash.
Suggested Remediation
Update TemplateContext.cs to set ObjectRecursionLimit to a safe default, such as 20.
public int ObjectRecursionLimit { get; set; } = 20;
By implementing this default, circular references will gracefully result in a catchable ScriptRuntimeException rather than a fatal process crash.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.8"
},
"package": {
"ecosystem": "NuGet",
"name": "scriban"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Scriban.Signed"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T21:31:01Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "When Scriban renders an object that contains a circular reference, it traverses the object\u0027s members infinitely. Because the `ObjectRecursionLimit` property defaults to unlimited, this behavior exhausts the thread\u0027s stack space, triggering an uncatchable `StackOverflowException` that immediately terminates the hosting process.\n\nWhen rendering objects (e.g., `{{ obj }}`), the Scriban rendering engine recursively inspects and formats the object\u0027s properties. To prevent infinite loops caused by deeply nested or circular data structures, `TemplateContext` contains an `ObjectRecursionLimit` property. \n\nHowever, this property currently defaults to `0` (unlimited). If the data context pushed into the template contains a circular reference, the renderer will recurse indefinitely. This is especially dangerous for web applications that map user-controlled payloads (like JSON) directly to rendering contexts, or for applications that pass ORM objects (like Entity Framework models, which frequently contain circular navigation properties) into the template.\n\n#### Proof of Concept (PoC)\nThe following C# code demonstrates the vulnerability. Executing this will cause an immediate, fatal `StackOverflowException`, bypassing any standard error handling.\n\n```csharp\nusing Scriban;\nusing Scriban.Runtime;\n\nvar template = Template.Parse(\"{{ a }}\");\nvar context = new TemplateContext();\nvar a = new ScriptObject();\n\n// Introduce a cycle\na[\"self\"] = a;\ncontext.PushGlobal(new ScriptObject { { \"a\", a } });\n\ntry {\n // This crashes the entire process immediately\n template.Render(context);\n} catch (Exception ex) {\n // This will never execute because StackOverflowException\n Console.WriteLine(\"Caught exception: \" + ex.Message);\n}\n```\n\n#### Impact\nThis vulnerability allows a Denial of Service (DoS) attack. If a malicious user can manipulate the data structure passed to the renderer to include a cyclic reference, or if the application passes a complex object graph to an untrusted template, the entire .NET hosting process will crash.\n\n#### Suggested Remediation\nUpdate `TemplateContext.cs` to set `ObjectRecursionLimit` to a safe default, such as `20`.\n\n```csharp\npublic int ObjectRecursionLimit { get; set; } = 20;\n```\nBy implementing this default, circular references will gracefully result in a catchable `ScriptRuntimeException` rather than a fatal process crash.",
"id": "GHSA-grr9-747v-xvcp",
"modified": "2026-07-06T13:06:27Z",
"published": "2026-03-19T21:31:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/security/advisories/GHSA-grr9-747v-xvcp"
},
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/commit/a6fe6074199e5c04f4d29dc8d8e652b24d33e3e4"
},
{
"type": "PACKAGE",
"url": "https://github.com/scriban/scriban"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service)"
}
GHSA-GVG5-GHCH-6WW2
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36725407.
{
"affected": [],
"aliases": [
"CVE-2017-0692"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-06T20:29:00Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36725407.",
"id": "GHSA-gvg5-ghch-6ww2",
"modified": "2022-05-13T01:40:29Z",
"published": "2022-05-13T01:40:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0692"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-07-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99478"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GW7G-QR8W-3448
Vulnerability from github – Published: 2023-11-13 03:30 – Updated: 2024-10-26 18:35Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "remarshal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-47163"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-14T22:19:05Z",
"nvd_published_at": "2023-11-13T03:15:09Z",
"severity": "HIGH"
},
"details": "Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.",
"id": "GHSA-gw7g-qr8w-3448",
"modified": "2024-10-26T18:35:38Z",
"published": "2023-11-13T03:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47163"
},
{
"type": "WEB",
"url": "https://github.com/remarshal-project/remarshal/commit/fd6ac799a02f533c3fc243b49cdd6d21aa7ee494"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/remarshal/PYSEC-2023-236.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/remarshal-project/remarshal"
},
{
"type": "WEB",
"url": "https://github.com/remarshal-project/remarshal/releases/tag/v0.17.1"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN86156389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack"
}
GHSA-H2VR-RQQP-XV8M
Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2025-12-16 00:30uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.
{
"affected": [],
"aliases": [
"CVE-2025-67899"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-14T23:15:37Z",
"severity": "LOW"
},
"details": "uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.",
"id": "GHSA-h2vr-rqqp-xv8m",
"modified": "2025-12-16T00:30:29Z",
"published": "2025-12-15T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67899"
},
{
"type": "WEB",
"url": "https://github.com/uriparser/uriparser/issues/282"
},
{
"type": "WEB",
"url": "https://github.com/uriparser/uriparser/pull/284"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/15/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.