CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
615 vulnerabilities reference this CWE, most recent first.
GHSA-HV87-47H9-JCVQ
Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 22:23Affected versions of this crate did not prevent deep recursion while deserializing data structures. This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it. The flaw was corrected by checking the recursion depth.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "yaml-rust"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-20993"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:24:44Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of this crate did not prevent deep recursion while deserializing data structures. This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it. The flaw was corrected by checking the recursion depth.",
"id": "GHSA-hv87-47h9-jcvq",
"modified": "2023-06-13T22:23:08Z",
"published": "2021-08-25T20:43:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20993"
},
{
"type": "WEB",
"url": "https://github.com/chyh1990/yaml-rust/pull/109"
},
{
"type": "WEB",
"url": "https://github.com/chyh1990/yaml-rust/commit/d61b49cb90391fc4f7f72a1abe597476c8651a07"
},
{
"type": "PACKAGE",
"url": "https://github.com/chyh1990/yaml-rust"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0006.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled recursion in rust-yaml"
}
GHSA-HV8P-7QGV-7R4P
Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-01-31 00:30IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion.
{
"affected": [],
"aliases": [
"CVE-2025-36001"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T22:15:53Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion.",
"id": "GHSA-hv8p-7qgv-7r4p",
"modified": "2026-01-31T00:30:28Z",
"published": "2026-01-31T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36001"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7257616"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HVQ2-WF92-J4F3
Vulnerability from github – Published: 2025-09-26 14:38 – Updated: 2025-09-26 14:38Security Advisory: express-xss-sanitizer
Overview
A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion depth during sanitization of nested objects.
Affected Versions
- All versions prior to 2.0.1
Patched Versions
- 2.0.1 and later
Description
The sanitize function in lib/sanitize.js performed recursive sanitization without depth limiting, making it vulnerable to stack overflow attacks via specially crafted deeply nested JSON objects.
Impact
An attacker could cause denial-of-service by sending a request with deeply nested structures, potentially crashing the Node.js process.
Solution
Upgrade to version 2.0.1 or later:
npm install express-xss-sanitizer@latest
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "express-xss-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59364"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T14:38:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Security Advisory: express-xss-sanitizer\n\n## Overview\nA vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion depth during sanitization of nested objects.\n\n## Affected Versions\n- All versions prior to 2.0.1\n\n## Patched Versions\n- 2.0.1 and later\n\n## Description\nThe sanitize function in lib/sanitize.js performed recursive sanitization without depth limiting, making it vulnerable to stack overflow attacks via specially crafted deeply nested JSON objects.\n\n## Impact\nAn attacker could cause denial-of-service by sending a request with deeply nested structures, potentially crashing the Node.js process.\n\n## Solution\nUpgrade to version 2.0.1 or later:\n\n```bash\nnpm install express-xss-sanitizer@latest\n```",
"id": "GHSA-hvq2-wf92-j4f3",
"modified": "2025-09-26T14:38:14Z",
"published": "2025-09-26T14:38:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/security/advisories/GHSA-hvq2-wf92-j4f3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59364"
},
{
"type": "WEB",
"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/pull/23"
},
{
"type": "WEB",
"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer/commit/62d6542a2a57298da7a2e02de623454007e4f6d6"
},
{
"type": "WEB",
"url": "https://dbugs.ptsecurity.com/vulnerability/PT-2025-37434"
},
{
"type": "WEB",
"url": "https://gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b94"
},
{
"type": "PACKAGE",
"url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/express-xss-sanitizer"
},
{
"type": "WEB",
"url": "https://www.tenable.com/cve/CVE-2025-59364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "express-xss-sanitizer has an unbounded recursion depth"
}
GHSA-HWFH-MH4F-M67F
Vulnerability from github – Published: 2026-05-14 15:31 – Updated: 2026-05-14 15:31Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
{
"affected": [],
"aliases": [
"CVE-2026-6479"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T14:16:25Z",
"severity": "HIGH"
},
"details": "Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.",
"id": "GHSA-hwfh-mh4f-m67f",
"modified": "2026-05-14T15:31:58Z",
"published": "2026-05-14T15:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6479"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/support/security/CVE-2026-6479"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HWXV-7GW9-PFM4
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit.
{
"affected": [],
"aliases": [
"CVE-2019-9543"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-01T19:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit.",
"id": "GHSA-hwxv-7gw9-pfm4",
"modified": "2022-05-13T01:08:19Z",
"published": "2022-05-13T01:08:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9543"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/poppler/poppler/issues/730"
},
{
"type": "WEB",
"url": "https://research.loginsoft.com/bugs/recursive-function-call-in-function-jbig2streamreadgenericbitmap-poppler-0-74-0"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HXWV-6335-26H5
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-10-07 18:15A flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability. This issue affects all samba versions before 4.10.15, before 4.11.8 and before 4.12.2.
{
"affected": [],
"aliases": [
"CVE-2020-10704"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-06T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability. This issue affects all samba versions before 4.10.15, before 4.11.8 and before 4.12.2.",
"id": "GHSA-hxwv-6335-26h5",
"modified": "2022-10-07T18:15:55Z",
"published": "2022-05-24T17:17:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10704"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10704"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5KW3ZO35NVDO57JSBZHTQZOS3AIQ5QE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7DVGCHG3XPIBQ5ETGMGW7MXNOO4HFH4"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-15"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2020-10704.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00054.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J288-Q9X7-2F5V
Vulnerability from github – Published: 2025-07-11 15:31 – Updated: 2025-11-05 20:30Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-lang3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "commons-lang:commons-lang"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"last_affected": "2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48924"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-12T00:48:03Z",
"nvd_published_at": "2025-07-11T15:15:24Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"id": "GHSA-j288-q9x7-2f5v",
"modified": "2025-11-05T20:30:31Z",
"published": "2025-07-11T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-lang"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs"
}
GHSA-J2G9-XJ29-72M9
Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52jsparse.c in Artifex MuJS through 1.0.2 does not properly maintain the AST depth for binary expressions, which allows remote attackers to cause a denial of service (excessive recursion) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2018-5759"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-24T21:29:00Z",
"severity": "MODERATE"
},
"details": "jsparse.c in Artifex MuJS through 1.0.2 does not properly maintain the AST depth for binary expressions, which allows remote attackers to cause a denial of service (excessive recursion) via a crafted file.",
"id": "GHSA-j2g9-xj29-72m9",
"modified": "2022-05-13T01:52:54Z",
"published": "2022-05-13T01:52:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5759"
},
{
"type": "WEB",
"url": "https://bugs.ghostscript.com/show_bug.cgi?id=698868"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43904"
},
{
"type": "WEB",
"url": "http://git.ghostscript.com/?p=mujs.git;a=commit;h=4d45a96e57fbabf00a7378b337d0ddcace6f38c1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102833"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2V6-WHQQ-RRF6
Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30ICMPv6 PvD protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
{
"affected": [],
"aliases": [
"CVE-2026-5299"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T07:16:37Z",
"severity": "MODERATE"
},
"details": "ICMPv6 PvD protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
"id": "GHSA-j2v6-whqq-rrf6",
"modified": "2026-04-30T09:30:24Z",
"published": "2026-04-30T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5299"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/21077"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2026-12.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3MJ-Q4F3-88PF
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.
{
"affected": [],
"aliases": [
"CVE-2026-1069"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T16:16:22Z",
"severity": "HIGH"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service by sending specially crafted GraphQL requests due to uncontrolled recursion under certain circumstances.",
"id": "GHSA-j3mj-q4f3-88pf",
"modified": "2026-03-11T18:30:32Z",
"published": "2026-03-11T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1069"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3483687"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586474"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.