CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-H36C-3666-H489
Vulnerability from github – Published: 2026-06-25 21:49 – Updated: 2026-06-25 21:50A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48734"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:49:59Z",
"nvd_published_at": "2026-06-10T23:16:49Z",
"severity": "MODERATE"
},
"details": "A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check.",
"id": "GHSA-h36c-3666-h489",
"modified": "2026-06-25T21:50:00Z",
"published": "2026-06-25T21:49:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-h36c-3666-h489"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48734"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.14.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick Vulnerable to Stack Overflow in its MVG Decoder"
}
GHSA-H3QM-JRRF-CGJ3
Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2023-02-09 20:23graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/graphql-go/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37315"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-10T15:43:18Z",
"nvd_published_at": "2022-08-01T22:15:00Z",
"severity": "HIGH"
},
"details": "graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.",
"id": "GHSA-h3qm-jrrf-cgj3",
"modified": "2023-02-09T20:23:23Z",
"published": "2022-08-02T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37315"
},
{
"type": "WEB",
"url": "https://github.com/graphql-go/graphql/issues/637"
},
{
"type": "WEB",
"url": "https://github.com/graphql-go/graphql/pull/642"
},
{
"type": "WEB",
"url": "https://github.com/graphql-go/graphql/pull/642/commits/4188bd5b3877f7badb951b421cf66e0af2eacb22"
},
{
"type": "PACKAGE",
"url": "https://github.com/graphql-go/graphql"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0942"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "graphql-go has infinite recursion in the type definition parser"
}
GHSA-H46W-FFVP-4PW5
Vulnerability from github – Published: 2026-03-16 18:32 – Updated: 2026-06-04 21:31When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.
{
"affected": [],
"aliases": [
"CVE-2026-4224"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T18:16:10Z",
"severity": "MODERATE"
},
"details": "When an Expat parser with a registered ElementDeclHandler parses an inline\ndocument type definition containing a deeply nested content model a C stack\noverflow occurs.",
"id": "GHSA-h46w-ffvp-4pw5",
"modified": "2026-06-04T21:31:19Z",
"published": "2026-03-16T18:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4224"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/145986"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/145987"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/196edfb06a7458377d4d0f4b3cd41724c1f3bd4a"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/af856a7177326ac25d9f66cc6dd28b554d914fee"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/e0a8a6da90597a924b300debe045cdb4628ee1f3"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/eb0e8be3a7e11b87d198a2c3af1ed0eccf532768"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/03/16/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H536-VFR2-H6PW
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2019-9144"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-25T15:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Exiv2 0.27. There is infinite recursion at BigTiffImage::printIFD in the file bigtiffimage.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.",
"id": "GHSA-h536-vfr2-h6pw",
"modified": "2022-05-13T01:23:02Z",
"published": "2022-05-13T01:23:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9144"
},
{
"type": "WEB",
"url": "https://github.com/Exiv2/exiv2/issues/712"
},
{
"type": "WEB",
"url": "https://research.loginsoft.com/bugs/uncontrolled-recursion-loop-in-exiv2anonymous-namespacebigtiffimageprintifd-exiv2-0-27"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107161"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H557-5H69-JF25
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 18:30In the Linux kernel, the following vulnerability has been resolved:
perf: Improve missing SIGTRAP checking
To catch missing SIGTRAP we employ a WARN in __perf_event_overflow(), which fires if pending_sigtrap was already set: returning to user space without consuming pending_sigtrap, and then having the event fire again would re-enter the kernel and trigger the WARN.
This, however, seemed to miss the case where some events not associated with progress in the user space task can fire and the interrupt handler runs before the IRQ work meant to consume pending_sigtrap (and generate the SIGTRAP).
syzbot gifted us this stack trace:
| WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow | Modules linked in: | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313 | <...> | Call Trace: | | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729 | __run_hrtimer kernel/time/hrtimer.c:1685 [inline] | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749 | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline] | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113 | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107 | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649 | <...> |
In this case, syzbot produced a program with event type PERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer manages to fire again before the IRQ work got a chance to run, all while never having returned to user space.
Improve the WARN to check for real progress in user space: approximate this by storing a 32-bit hash of the current IP into pending_sigtrap, and if an event fires while pending_sigtrap still matches the previous IP, we assume no progress (false negatives are possible given we could return to user space and trigger again on the same IP).
{
"affected": [],
"aliases": [
"CVE-2022-49782"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:01Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Improve missing SIGTRAP checking\n\nTo catch missing SIGTRAP we employ a WARN in __perf_event_overflow(),\nwhich fires if pending_sigtrap was already set: returning to user space\nwithout consuming pending_sigtrap, and then having the event fire again\nwould re-enter the kernel and trigger the WARN.\n\nThis, however, seemed to miss the case where some events not associated\nwith progress in the user space task can fire and the interrupt handler\nruns before the IRQ work meant to consume pending_sigtrap (and generate\nthe SIGTRAP).\n\nsyzbot gifted us this stack trace:\n\n | WARNING: CPU: 0 PID: 3607 at kernel/events/core.c:9313 __perf_event_overflow\n | Modules linked in:\n | CPU: 0 PID: 3607 Comm: syz-executor100 Not tainted 6.1.0-rc2-syzkaller-00073-g88619e77b33d #0\n | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022\n | RIP: 0010:__perf_event_overflow+0x498/0x540 kernel/events/core.c:9313\n | \u003c...\u003e\n | Call Trace:\n | \u003cTASK\u003e\n | perf_swevent_hrtimer+0x34f/0x3c0 kernel/events/core.c:10729\n | __run_hrtimer kernel/time/hrtimer.c:1685 [inline]\n | __hrtimer_run_queues+0x1c6/0xfb0 kernel/time/hrtimer.c:1749\n | hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811\n | local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1096 [inline]\n | __sysvec_apic_timer_interrupt+0x17c/0x640 arch/x86/kernel/apic/apic.c:1113\n | sysvec_apic_timer_interrupt+0x40/0xc0 arch/x86/kernel/apic/apic.c:1107\n | asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649\n | \u003c...\u003e\n | \u003c/TASK\u003e\n\nIn this case, syzbot produced a program with event type\nPERF_TYPE_SOFTWARE and config PERF_COUNT_SW_CPU_CLOCK. The hrtimer\nmanages to fire again before the IRQ work got a chance to run, all while\nnever having returned to user space.\n\nImprove the WARN to check for real progress in user space: approximate\nthis by storing a 32-bit hash of the current IP into pending_sigtrap,\nand if an event fires while pending_sigtrap still matches the previous\nIP, we assume no progress (false negatives are possible given we could\nreturn to user space and trigger again on the same IP).",
"id": "GHSA-h557-5h69-jf25",
"modified": "2025-11-07T18:30:25Z",
"published": "2025-05-01T15:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49782"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35c60b4e8ca76712dd03bafe2598e31578248916"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b09221f1b4944d2866d06ac35e59d7a6f8916c9f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bb88f9695460bec25aa30ba9072595025cf6c8af"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5HJ-56H4-RWCP
Vulnerability from github – Published: 2026-04-28 12:31 – Updated: 2026-07-09 15:32Uncontrolled Recursion vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-41606"
],
"database_specific": {
"cwe_ids": [
"CWE-606",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T10:16:03Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.",
"id": "GHSA-h5hj-56h4-rwcp",
"modified": "2026-07-09T15:32:01Z",
"published": "2026-04-28T12:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41606"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:14885"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21769"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22347"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22423"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23345"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24539"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36882"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-41606"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463408"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41606.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/04/28/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H85M-6QG2-23FM
Vulnerability from github – Published: 2025-09-18 18:30 – Updated: 2025-12-11 15:30In the Linux kernel, the following vulnerability has been resolved:
crypto: hisilicon/qm - increase the memory of local variables
Increase the buffer to prevent stack overflow by fuzz test. The maximum length of the qos configuration buffer is 256 bytes. Currently, the value of the 'val buffer' is only 32 bytes. The sscanf does not check the dest memory length. So the 'val buffer' may stack overflow.
{
"affected": [],
"aliases": [
"CVE-2022-50407"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T16:15:43Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/qm - increase the memory of local variables\n\nIncrease the buffer to prevent stack overflow by fuzz test. The maximum\nlength of the qos configuration buffer is 256 bytes. Currently, the value\nof the \u0027val buffer\u0027 is only 32 bytes. The sscanf does not check the dest\nmemory length. So the \u0027val buffer\u0027 may stack overflow.",
"id": "GHSA-h85m-6qg2-23fm",
"modified": "2025-12-11T15:30:30Z",
"published": "2025-09-18T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50407"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34c4f8ad45b4ea814c7ecc3f23a2d292959d5a52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3efe90af4c0c46c58dba1b306de142827153d9c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fc521abb6ee4b8f06fdfc52646140dab6a2ed334"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H86H-8PPG-MXMH
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2024-05-20 20:30golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/net"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20210428140749-89ef3d95e781"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-31525"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T00:35:49Z",
"nvd_published_at": "2021-05-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "golang.org/x/net/http/httpguts in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.",
"id": "GHSA-h86h-8ppg-mxmh",
"modified": "2024-05-20T20:30:58Z",
"published": "2022-05-24T19:03:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31525"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/45710"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang/go"
},
{
"type": "WEB",
"url": "https://go.dev/cl/313069"
},
{
"type": "WEB",
"url": "https://go.dev/issue/45710"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/net/+/89ef3d95e781148a0951956029c92a211477f7f9"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRZZ6NY5R2TBYE72KZFOCO25TEUQTBF"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0236"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "golang.org/x/net/http/httpguts vulnerable to Uncontrolled Recursion"
}
GHSA-H8MV-Q3C4-8HW2
Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2022-08-24 00:00Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.
{
"affected": [],
"aliases": [
"CVE-2022-23460"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-19T20:15:00Z",
"severity": "HIGH"
},
"details": "Jsonxx or Json++ is a JSON parser, writer and reader written in C++. In affected versions of jsonxx json parsing may lead to stack exhaustion in an address sanitized (ASAN) build. This issue may lead to Denial of Service if the program using the jsonxx library crashes. This issue exists on the current commit of the jsonxx project and the project itself has been archived. Updates are not expected. Users are advised to find a replacement.",
"id": "GHSA-h8mv-q3c4-8hw2",
"modified": "2022-08-24T00:00:31Z",
"published": "2022-08-20T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23460"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2022-049_Jsonxx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H9MJ-FGHC-664W
Vulnerability from github – Published: 2017-12-28 22:51 – Updated: 2021-09-14 17:16Affected versions of mqtt do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition.
The vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor.
Proof of Concept
The following is a demonstration of how to generate the malicious packet sequence, but does not include information on handling the initial network connections and MQTT overhead.
var mqttp = require('mqtt-packet');
var packets = [];
for(var i=0; i<=1000;i++){
packets.push(
mqttp.generate({
cmd:'publish',
topic:Buffer.from('hello'),
payload:Buffer.from('world'),
retain: false,
dup: false,
messageId: ++i,
qos: 1
})
)
}
Recommendation
Update to version 2.15.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mqtt"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-10910"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:39:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of `mqtt` do not properly handle PUBLISH packets returning from the server, leading to a Denial of Service condition.\n\nThe vulnerability is completely mitigated if the only connected servers are trusted, guaranteed not to be under the control of a malicious actor.\n\n## Proof of Concept\n\nThe following is a demonstration of how to generate the malicious packet sequence, but does not include information on handling the initial network connections and MQTT overhead.\n```\nvar mqttp = require(\u0027mqtt-packet\u0027);\nvar packets = [];\nfor(var i=0; i\u003c=1000;i++){\n packets.push(\n mqttp.generate({\n cmd:\u0027publish\u0027,\n topic:Buffer.from(\u0027hello\u0027),\n payload:Buffer.from(\u0027world\u0027),\n retain: false,\n dup: false, \n messageId: ++i, \n qos: 1\n })\n )\n}\n\n```\n\n\n## Recommendation\n\nUpdate to version 2.15.0 or later.",
"id": "GHSA-h9mj-fghc-664w",
"modified": "2021-09-14T17:16:40Z",
"published": "2017-12-28T22:51:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10910"
},
{
"type": "WEB",
"url": "https://github.com/mqttjs/MQTT.js/commit/403ba53b838f2d319a0c0505a045fe00239e9923"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h9mj-fghc-664w"
},
{
"type": "PACKAGE",
"url": "https://github.com/mqttjs/MQTT.js"
},
{
"type": "WEB",
"url": "https://github.com/mqttjs/MQTT.js/releases/tag/v2.15.0"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/security-wg/blob/master/vuln/npm/357.json"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN45494523/index.html"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/555"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in mqtt"
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.