CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-J563-GRX4-PJPV
Vulnerability from github – Published: 2022-12-29 01:48 – Updated: 2022-12-29 01:48Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.
Patches
XStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.
Workarounds
The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:
- java.util.HashMap
- java.util.HashSet
- java.util.Hashtable
- java.util.LinkedHashMap
- java.util.LinkedHashSet
- Other third party collection implementations that use their element's hash code may also be affected
A simple solution is to catch the StackOverflowError in the client code calling XStream.
If your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:
XStream xstream = new XStream();
xstream.setMode(XStream.NO_REFERENCES);
If your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:
XStream xstream = new XStream();
xstream.denyTypes(new Class[]{
java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class
});
Unfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::
xstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);
xstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);
However, this implies that your application does not care about the implementation of the map and all elements are comparable.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2022-41966.
For more information
If you have any questions or comments about this advisory: * Open an issue in XStream * Contact us at XStream Google Group
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.thoughtworks.xstream:xstream"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41966"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-121",
"CWE-502",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-29T01:48:08Z",
"nvd_published_at": "2022-12-28T00:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:\n\n- java.util.HashMap\n- java.util.HashSet\n- java.util.Hashtable\n- java.util.LinkedHashMap\n- java.util.LinkedHashSet\n- Other third party collection implementations that use their element\u0027s hash code may also be affected\n\nA simple solution is to catch the StackOverflowError in the client code calling XStream.\n\nIf your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:\n```Java\nXStream xstream = new XStream();\nxstream.setMode(XStream.NO_REFERENCES);\n```\n\nIf your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:\n```Java\nXStream xstream = new XStream();\nxstream.denyTypes(new Class[]{\n java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class\n});\n```\n\nUnfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::\n```Java\nxstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);\nxstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);\n```\nHowever, this implies that your application does not care about the implementation of the map and all elements are comparable.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream\u0027s documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n",
"id": "GHSA-j563-grx4-pjpv",
"modified": "2022-12-29T01:48:08Z",
"published": "2022-12-29T01:48:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966"
},
{
"type": "PACKAGE",
"url": "https://github.com/x-stream/xstream"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2022-41966.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "XStream can cause Denial of Service via stack overflow"
}
GHSA-J566-7876-3M7F
Vulnerability from github – Published: 2025-10-17 00:31 – Updated: 2025-10-17 00:31In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.
{
"affected": [],
"aliases": [
"CVE-2025-11896"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T22:15:30Z",
"severity": "LOW"
},
"details": "In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the \"UseCMap\" entry, leads to infinite recursion and a stack overflow.",
"id": "GHSA-j566-7876-3m7f",
"modified": "2025-10-17T00:31:12Z",
"published": "2025-10-17T00:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11896"
},
{
"type": "WEB",
"url": "https://www.xpdfreader.com/security-bug/object-loops.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J6J2-P5XW-W2J8
Vulnerability from github – Published: 2026-07-01 18:31 – Updated: 2026-07-01 18:31Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.
{
"affected": [],
"aliases": [
"CVE-2026-56148"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T17:16:36Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.",
"id": "GHSA-j6j2-p5xw-w2j8",
"modified": "2026-07-01T18:31:55Z",
"published": "2026-07-01T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56148"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/elasticsearch-8-19-17-9-3-6-9-4-3-security-update-esa-2026-42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J7PW-5G39-C2CJ
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2023-02-28 21:30The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).
{
"affected": [],
"aliases": [
"CVE-2018-20821"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-23T14:29:00Z",
"severity": "MODERATE"
},
"details": "The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp).",
"id": "GHSA-j7pw-5g39-c2cj",
"modified": "2023-02-28T21:30:16Z",
"published": "2022-05-24T16:44:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20821"
},
{
"type": "WEB",
"url": "https://github.com/sass/libsass/issues/2658"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00047.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00051.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J7VJ-RW65-4V26
Vulnerability from github – Published: 2024-09-06 21:32 – Updated: 2024-09-09 15:30Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
{
"affected": [],
"aliases": [
"CVE-2024-34158"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-06T21:15:12Z",
"severity": "HIGH"
},
"details": "Calling Parse on a \"// +build\" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.",
"id": "GHSA-j7vj-rw65-4v26",
"modified": "2024-09-09T15:30:38Z",
"published": "2024-09-06T21:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34158"
},
{
"type": "WEB",
"url": "https://go.dev/cl/611240"
},
{
"type": "WEB",
"url": "https://go.dev/issue/69141"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3107"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J87P-GJR6-M4PV
Vulnerability from github – Published: 2025-07-27 21:32 – Updated: 2025-07-28 15:54Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-rr69-rxr6-8qwf. This link is maintained to preserve external references.
Original Description
The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "serde-json-wasm"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "serde-json-wasm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-28T15:54:52Z",
"nvd_published_at": "2025-07-27T21:15:26Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rr69-rxr6-8qwf. This link is maintained to preserve external references.\n\n### Original Description\nThe serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.",
"id": "GHSA-j87p-gjr6-m4pv",
"modified": "2025-07-28T15:54:52Z",
"published": "2025-07-27T21:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58264"
},
{
"type": "WEB",
"url": "https://crates.io/crates/serde-json-wasm"
},
{
"type": "PACKAGE",
"url": "https://github.com/CosmWasm/serde-json-wasm"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rr69-rxr6-8qwf"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0012.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: serde-json-wasm stack overflow during recursive JSON parsing",
"withdrawn": "2025-07-28T15:54:52Z"
}
GHSA-J9VR-6635-6998
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
{
"affected": [],
"aliases": [
"CVE-2019-18853"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.",
"id": "GHSA-j9vr-6635-6998",
"modified": "2022-05-24T17:00:42Z",
"published": "2022-05-24T17:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18853"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/ec9c8944af2bfc65c697ca44f93a727a99b405f1"
},
{
"type": "WEB",
"url": "https://fortiguard.com/zeroday/FG-VD-19-136"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JCX2-5QW3-59P6
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2021-39929"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-19T17:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-jcx2-5qw3-59p6",
"modified": "2022-05-24T19:21:07Z",
"published": "2022-05-24T19:21:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39929"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39929.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/17651"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6AJFIYIHS3TYDD2EBYBJ5KKE52X34BJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YEWTIRMC2MFQBZ2O5M4CJHJM4JPBHLXH"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202210-04"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5019"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2021-07.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JGGG-4JG4-V7C6
Vulnerability from github – Published: 2026-05-19 16:21 – Updated: 2026-05-19 16:21Summary
protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON().
A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading.
Impact
An attacker who can provide JSON descriptors loaded by an application may be able to crash the process or otherwise cause schema loading to fail with a stack overflow.
This affects applications that load JSON descriptors from untrusted sources with affected versions.
Preconditions
- The application must load JSON descriptor data influenced by an attacker.
- The crafted descriptor must contain deeply nested
nestednamespace objects. - The affected
Root.fromJSON()/Namespace.addJSON()descriptor expansion path must process the crafted input.
Workarounds
Avoid loading untrusted protobuf JSON descriptors with affected versions. If immediate upgrade is not possible, reject excessively nested descriptor structures at an outer validation boundary where feasible, or isolate descriptor loading in a process that can be safely restarted.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.7"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45740"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T16:21:33Z",
"nvd_published_at": "2026-05-13T16:17:00Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nprotobufjs could recurse without a depth limit while expanding nested JSON descriptors through `Root.fromJSON()` and `Namespace.addJSON()`.\n\nA crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading.\n\n## Impact\n\nAn attacker who can provide JSON descriptors loaded by an application may be able to crash the process or otherwise cause schema loading to fail with a stack overflow.\n\nThis affects applications that load JSON descriptors from untrusted sources with affected versions.\n\n## Preconditions\n\n- The application must load JSON descriptor data influenced by an attacker.\n- The crafted descriptor must contain deeply nested `nested` namespace objects.\n- The affected `Root.fromJSON()` / `Namespace.addJSON()` descriptor expansion path must process the crafted input.\n\n## Workarounds\n\nAvoid loading untrusted protobuf JSON descriptors with affected versions. If immediate upgrade is not possible, reject excessively nested descriptor structures at an outer validation boundary where feasible, or isolate descriptor loading in a process that can be safely restarted.",
"id": "GHSA-jggg-4jg4-v7c6",
"modified": "2026-05-19T16:21:34Z",
"published": "2026-05-19T16:21:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-jggg-4jg4-v7c6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45740"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion"
}
GHSA-JGGJ-J5FQ-X969
Vulnerability from github – Published: 2026-05-05 03:31 – Updated: 2026-05-09 06:31An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).
{
"affected": [],
"aliases": [
"CVE-2026-44028"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T01:16:06Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0).",
"id": "GHSA-jggj-j5fq-x969",
"modified": "2026-05-09T06:31:35Z",
"published": "2026-05-05T03:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44028"
},
{
"type": "WEB",
"url": "https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407"
},
{
"type": "WEB",
"url": "https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/04/32"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/04/33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.