Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-V6W7-GQ3G-FWVM

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-06-04 00:00
VLAI
Details

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-v6w7-gq3g-fwvm",
  "modified": "2022-06-04T00:00:55Z",
  "published": "2022-05-24T17:43:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20255"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930646"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210507-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/02/25/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V78M-2Q7V-FJQP

Vulnerability from github – Published: 2022-06-22 17:52 – Updated: 2022-07-12 21:59
VLAI
Summary
Uncontrolled Recursion in rulex
Details

Impact

When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately.

This is a security concern for you, if - your service parses untrusted rulex expressions (expressions provided by an untrusted user), and - your service becomes unavailable when the process running rulex aborts due to a stack overflow.

Patches

The crash is fixed in version 0.4.3. Affected users are advised to update to this version.

Workarounds

None.

For more information

If you have any questions or comments about this advisory: * Open an issue in rulex * Email me at ludwig.stecher@gmx.de

Credits

Credit for finding these bugs goes to

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rulex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31099"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-22T17:52:51Z",
    "nvd_published_at": "2022-06-27T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately.\n\nThis is a security concern for you, if\n- your service parses untrusted rulex expressions (expressions provided by an untrusted user), and\n- your service becomes unavailable when the process running rulex aborts due to a stack overflow.\n\n### Patches\nThe crash is fixed in version **0.4.3**. Affected users are advised to update to this version.\n\n### Workarounds\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [rulex](https://github.com/rulex-rs/rulex/issues)\n* Email me at [ludwig.stecher@gmx.de](mailto:ludwig.stecher@gmx.de)\n\n### Credits\n\nCredit for finding these bugs goes to\n\n- [evanrichter](https://github.com/evanrichter)\n- [ForAllSecure Mayhem](https://forallsecure.com/)\n- [cargo fuzz](https://github.com/rust-fuzz/cargo-fuzz) and [afl.rs](https://github.com/rust-fuzz/afl.rs)",
  "id": "GHSA-v78m-2q7v-fjqp",
  "modified": "2022-07-12T21:59:11Z",
  "published": "2022-06-22T17:52:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rulex-rs/rulex/security/advisories/GHSA-v78m-2q7v-fjqp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31099"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rulex-rs/rulex/commit/60aa2dc03a22d69c8800fec81f99c96958a11363"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rulex-rs/rulex"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Recursion in rulex"
}

GHSA-V7CF-C9RM-WM3J

Vulnerability from github – Published: 2026-03-17 14:07 – Updated: 2026-03-17 14:07
VLAI
Summary
Uncontrolled recursion DoS in JustHTML() via deeply nested HTML
Details

Summary

justhtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, JustHTML.__init__() always reaches TreeBuilder.finish(), which unconditionally calls _populate_selectedcontent(). That function recursively traverses the DOM via _find_elements() / _find_element() without a depth bound, allowing attacker-controlled deeply nested input to trigger an unhandled RecursionError on CPython. Depending on the host application's exception handling, this can abort parsing, fail requests, or terminate a worker/process.

Details

TreeBuilder.finish() (treebuilder.py#L476) unconditionally calls _populate_selectedcontent(self.document) at line 494. _populate_selectedcontent() (treebuilder.py#L1243) calls _find_elements() (treebuilder.py#L1280) to recursively search the DOM tree for <select> elements:

def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
    """Recursively find all elements with given name."""
    if node.name == name:
        result.append(node)
    if node.has_child_nodes():
        for child in node.children:
            self._find_elements(child, name, result)  # recursive call

When the DOM tree depth exceeds CPython's default recursion limit (1000), this raises an unhandled RecursionError. The full call path is:

JustHTML(html)tokenizer.run()tree_builder.finish()_populate_selectedcontent(document)_find_elements(root, "select", selects) (recursive)

Deeply nested DOM trees can be produced by nesting <div> tags ~1000 levels deep. On CPython with the default recursion limit, approximately 11 KB of <div> nesting is sufficient to trigger the error. The exact depth threshold is environment-dependent (CPython version, recursion limit setting, call stack depth at invocation).

Additional recursive functions are affected on already-parsed deep trees: - Node.clone_node(deep=True) (node.py#L523) — called during sanitization - _node_to_html() (serialize.py#L580) — used by to_html(pretty=True) - _to_markdown_walk() (node.py#L817) — used by to_markdown()

Note: the library already uses iterative traversal in several comparable functions (e.g., _node_to_html_compact at serialize.py#L197, _to_text_collect at node.py#L161, _is_blocky_element at serialize.py#L405, apply_to_children at transforms.py#L1642), demonstrating the correct pattern.

PoC

from justhtml import JustHTML

html = "<div>" * 1000 + "x" + "</div>" * 1000
doc = JustHTML(html)  # raises RecursionError

Test environment: CPython 3.14.3, macOS ARM64 (Apple Silicon), justhtml 1.9.1, default recursion limit (1000)

Input Size Result
<div> × 500 5,501 bytes OK
<div> × 800 8,801 bytes OK
<div> × 1000 11,001 bytes RecursionError

The error occurs with both sanitize=True (default) and sanitize=False.

Impact

An attacker who can supply HTML for parsing can trigger an unhandled RecursionError during JustHTML() construction. The error is triggered during construction and is not avoided by justhtml configuration alone; mitigating it requires host-application exception handling or input constraints. Depending on the host application's exception handling, this can abort parsing, fail requests, or terminate a worker/process.

Suggested Fix

Convert the recursive tree traversal functions to iterative implementations using an explicit stack. Example for _find_elements:

def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
    stack = [node]
    while stack:
        current = stack.pop()
        if current.name == name:
            result.append(current)
        if current.has_child_nodes():
            stack.extend(reversed(current.children))

The same conversion should be applied to _find_element, clone_node(deep=True), _node_to_html(), and _to_markdown_walk().

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "justhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T14:07:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\njusthtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, `JustHTML.__init__()` always reaches `TreeBuilder.finish()`, which unconditionally calls `_populate_selectedcontent()`. That function recursively traverses the DOM via `_find_elements()` / `_find_element()` without a depth bound, allowing attacker-controlled deeply nested input to trigger an unhandled `RecursionError` on CPython. Depending on the host application\u0027s exception handling, this can abort parsing, fail requests, or terminate a worker/process.\n\n### Details\n\n`TreeBuilder.finish()` ([`treebuilder.py#L476`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L476)) unconditionally calls `_populate_selectedcontent(self.document)` at [line 494](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L494). `_populate_selectedcontent()` ([`treebuilder.py#L1243`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L1243)) calls `_find_elements()` ([`treebuilder.py#L1280`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/treebuilder.py#L1280)) to recursively search the DOM tree for `\u003cselect\u003e` elements:\n\n```python\ndef _find_elements(self, node: Any, name: str, result: list[Any]) -\u003e None:\n    \"\"\"Recursively find all elements with given name.\"\"\"\n    if node.name == name:\n        result.append(node)\n    if node.has_child_nodes():\n        for child in node.children:\n            self._find_elements(child, name, result)  # recursive call\n```\n\nWhen the DOM tree depth exceeds CPython\u0027s default recursion limit (1000), this raises an unhandled `RecursionError`. The full call path is:\n\n`JustHTML(html)` \u2192 `tokenizer.run()` \u2192 `tree_builder.finish()` \u2192 `_populate_selectedcontent(document)` \u2192 `_find_elements(root, \"select\", selects)` (recursive)\n\nDeeply nested DOM trees can be produced by nesting `\u003cdiv\u003e` tags ~1000 levels deep. On CPython with the default recursion limit, approximately 11 KB of `\u003cdiv\u003e` nesting is sufficient to trigger the error. The exact depth threshold is environment-dependent (CPython version, recursion limit setting, call stack depth at invocation).\n\nAdditional recursive functions are affected on already-parsed deep trees:\n- `Node.clone_node(deep=True)` ([`node.py#L523`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L523)) \u2014 called during sanitization\n- `_node_to_html()` ([`serialize.py#L580`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L580)) \u2014 used by `to_html(pretty=True)`\n- `_to_markdown_walk()` ([`node.py#L817`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L817)) \u2014 used by `to_markdown()`\n\nNote: the library already uses iterative traversal in several comparable functions (e.g., `_node_to_html_compact` at [`serialize.py#L197`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L197), `_to_text_collect` at [`node.py#L161`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/node.py#L161), `_is_blocky_element` at [`serialize.py#L405`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/serialize.py#L405), `apply_to_children` at [`transforms.py#L1642`](https://github.com/EmilStenstrom/justhtml/blob/a866b6077770d9ec4cb6b6f9bfe7c918f98455e4/src/justhtml/transforms.py#L1642)), demonstrating the correct pattern.\n\n### PoC\n\n```python\nfrom justhtml import JustHTML\n\nhtml = \"\u003cdiv\u003e\" * 1000 + \"x\" + \"\u003c/div\u003e\" * 1000\ndoc = JustHTML(html)  # raises RecursionError\n```\n\nTest environment: CPython 3.14.3, macOS ARM64 (Apple Silicon), justhtml 1.9.1, default recursion limit (1000)\n\n| Input | Size | Result |\n|-------|------|--------|\n| `\u003cdiv\u003e` \u00d7 500 | 5,501 bytes | OK |\n| `\u003cdiv\u003e` \u00d7 800 | 8,801 bytes | OK |\n| `\u003cdiv\u003e` \u00d7 1000 | 11,001 bytes | RecursionError |\n\nThe error occurs with both `sanitize=True` (default) and `sanitize=False`.\n\n### Impact\n\nAn attacker who can supply HTML for parsing can trigger an unhandled `RecursionError` during `JustHTML()` construction. The error is triggered during construction and is not avoided by `justhtml` configuration alone; mitigating it requires host-application exception handling or input constraints. Depending on the host application\u0027s exception handling, this can abort parsing, fail requests, or terminate a worker/process.\n\n### Suggested Fix\n\nConvert the recursive tree traversal functions to iterative implementations using an explicit stack. Example for `_find_elements`:\n\n```python\ndef _find_elements(self, node: Any, name: str, result: list[Any]) -\u003e None:\n    stack = [node]\n    while stack:\n        current = stack.pop()\n        if current.name == name:\n            result.append(current)\n        if current.has_child_nodes():\n            stack.extend(reversed(current.children))\n```\n\nThe same conversion should be applied to `_find_element`, `clone_node(deep=True)`, `_node_to_html()`, and `_to_markdown_walk()`.",
  "id": "GHSA-v7cf-c9rm-wm3j",
  "modified": "2026-03-17T14:07:38Z",
  "published": "2026-03-17T14:07:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-v7cf-c9rm-wm3j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/EmilStenstrom/justhtml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EmilStenstrom/justhtml/releases/tag/v1.10.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Uncontrolled recursion DoS in JustHTML() via deeply nested HTML"
}

GHSA-V84H-MWMJ-46PF

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYaml-C++) 0.6.2. Stack Exhaustion occurs in YAML::SingleDocParser, and there is a stack consumption problem caused by recursive stack frames: HandleCompactMap, HandleMap, HandleFlowSequence, HandleSequence, HandleNode. Remote attackers could leverage this vulnerability to cause a denial-of-service via a cpp file.",
  "id": "GHSA-v84h-mwmj-46pf",
  "modified": "2022-05-13T01:22:41Z",
  "published": "2022-05-13T01:22:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6292"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jbeder/yaml-cpp/issues/657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V9QG-3J8P-R63V

Vulnerability from github – Published: 2019-08-06 01:43 – Updated: 2024-09-20 16:09
VLAI
Summary
Uncontrolled Recursion in Django
Details

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11a1"
            },
            {
              "fixed": "1.11.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1a1"
            },
            {
              "fixed": "2.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2a1"
            },
            {
              "fixed": "2.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-08-06T01:34:47Z",
    "nvd_published_at": "2019-08-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.",
  "id": "GHSA-v9qg-3j8p-r63v",
  "modified": "2024-09-20T16:09:20Z",
  "published": "2019-08-06T01:43:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14235"
    },
    {
      "type": "WEB",
      "url": "https://docs.djangoproject.com/en/dev/releases/security"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-v9qg-3j8p-r63v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-14.yaml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Aug/15"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202004-17"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190828-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4498"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2019/aug/01/security-releases"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Uncontrolled Recursion in Django"
}

GHSA-VC69-VR6F-4X67

Vulnerability from github – Published: 2026-05-15 00:30 – Updated: 2026-05-15 00:30
VLAI
Details

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6811"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T22:16:45Z",
    "severity": "MODERATE"
  },
  "details": "Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.",
  "id": "GHSA-vc69-vr6f-4x67",
  "modified": "2026-05-15T00:30:30Z",
  "published": "2026-05-15T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6811"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/PHPC-2636"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VCG7-GX5W-X44C

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix signededness bug in smb_direct_prepare_negotiation()

smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message.

By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow.

This fix replaces min_t(int, ...) with min_t(u32)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:37Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix signededness bug in smb_direct_prepare_negotiation()\n\nsmb_direct_prepare_negotiation() casts an unsigned __u32 value\nfrom sp-\u003emax_recv_size and req-\u003epreferred_send_size to a signed\nint before computing min_t(int, ...). A maliciously provided\npreferred_send_size of 0x80000000 will return as smaller than\nmax_recv_size, and then be used to set the maximum allowed\nalowed receive size for the next message.\n\nBy sending a second message with a large value (\u003e1420 bytes)\nthe attacker can then achieve a heap buffer overflow.\n\nThis fix replaces min_t(int, ...) with min_t(u32)",
  "id": "GHSA-vcg7-gx5w-x44c",
  "modified": "2026-05-08T15:31:16Z",
  "published": "2026-05-06T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43185"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF74-69RC-VMQ4

Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34
VLAI
Details

Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process.

This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021208.

The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T22:16:49Z",
    "severity": "MODERATE"
  },
  "details": "Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process.\n\nThis issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021208.\n\n\n\nThe affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.",
  "id": "GHSA-vf74-69rc-vmq4",
  "modified": "2026-06-13T00:34:30Z",
  "published": "2026-06-13T00:34:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7010"
    },
    {
      "type": "WEB",
      "url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGM6-C9JX-RM2C

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-07-01 00:01
VLAI
Details

uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36773"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-18T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).",
  "id": "GHSA-vgm6-c9jx-rm2c",
  "modified": "2022-07-01T00:01:15Z",
  "published": "2022-05-24T19:08:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36773"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=27833752"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VH6J-JC39-FGGF

Vulnerability from github – Published: 2026-06-25 18:46 – Updated: 2026-06-25 18:46
VLAI
Summary
MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth
Details

Summary

MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs.

Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException.

Impact

Applications that deserialize untrusted MessagePack payloads are affected when a formatter skips attacker-controlled values. This is a broad deserialization path and can be reached during normal object deserialization when an input includes an unknown member or extra value.

The attacker does not need to target a special resolver or compression mode. A payload containing many nested single-element arrays or maps in a skipped location can exhaust the process stack. Because StackOverflowException is not catchable in normal .NET execution, this terminates the host process and can deny service to other users of the same process.

MessagePackSecurity.UntrustedData does not mitigate this issue because the skip path does not participate in depth accounting.

Affected components

  • Package: MessagePack
  • APIs: MessagePackReader.Skip, MessagePackReader.TrySkip, and formatter paths that skip unknown or ignored values
  • Finding IDs: MESSAGEPACKCSHARP-021, duplicate/open variant MESSAGEPACKCSHARP-OPEN-001

Patches

Fixes are prepared and will be released in coordinated patch versions.

Upgrade guidance:

  1. Upgrade MessagePack to the patched version for your release line.
  2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.

The fix should either make skip traversal iterative or apply the existing depth accounting to arrays and maps encountered by TrySkip(). Any exceeded depth limit should result in a catchable serialization exception instead of process stack exhaustion.

Workarounds

Patching is recommended.

There is no complete workaround for applications that deserialize untrusted MessagePack payloads with affected versions. Reducing accepted message sizes can raise the cost of exploitation but does not remove the recursive skip behavior. Strict schema validation outside MessagePack-CSharp may help only if it rejects unknown or skipped fields before the serializer sees them.

Resources

  • MESSAGEPACKCSHARP-021: unbounded recursion in TrySkip()
  • MESSAGEPACKCSHARP-OPEN-001: duplicate/open finding for the same root cause
  • CWE-674: Uncontrolled Recursion

CVE split rationale

This vulnerability is independently fixable in the skip traversal implementation. It should be tracked separately from formatter-specific missing depth checks, JSON conversion recursion, and non-recursion allocation bugs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "MessagePack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.301"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "MessagePack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:46:24Z",
    "nvd_published_at": "2026-06-22T22:16:47Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`MessagePackReader.TrySkip()` recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses `MessagePackSecurity.MaximumObjectGraphDepth`, the library\u0027s documented protection against deeply nested object graphs.\n\nMany generated and dynamic formatters call `reader.Skip()` when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable `StackOverflowException`.\n\n## Impact\n\nApplications that deserialize untrusted MessagePack payloads are affected when a formatter skips attacker-controlled values. This is a broad deserialization path and can be reached during normal object deserialization when an input includes an unknown member or extra value.\n\nThe attacker does not need to target a special resolver or compression mode. A payload containing many nested single-element arrays or maps in a skipped location can exhaust the process stack. Because `StackOverflowException` is not catchable in normal .NET execution, this terminates the host process and can deny service to other users of the same process.\n\n`MessagePackSecurity.UntrustedData` does not mitigate this issue because the skip path does not participate in depth accounting.\n\n## Affected components\n\n- Package: `MessagePack`\n- APIs: `MessagePackReader.Skip`, `MessagePackReader.TrySkip`, and formatter paths that skip unknown or ignored values\n- Finding IDs: `MESSAGEPACKCSHARP-021`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-001`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should either make skip traversal iterative or apply the existing depth accounting to arrays and maps encountered by `TrySkip()`. Any exceeded depth limit should result in a catchable serialization exception instead of process stack exhaustion.\n\n## Workarounds\n\nPatching is recommended.\n\nThere is no complete workaround for applications that deserialize untrusted MessagePack payloads with affected versions. Reducing accepted message sizes can raise the cost of exploitation but does not remove the recursive skip behavior. Strict schema validation outside MessagePack-CSharp may help only if it rejects unknown or skipped fields before the serializer sees them.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-021`: unbounded recursion in `TrySkip()`\n- `MESSAGEPACKCSHARP-OPEN-001`: duplicate/open finding for the same root cause\n- CWE-674: Uncontrolled Recursion\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in the skip traversal implementation. It should be tracked separately from formatter-specific missing depth checks, JSON conversion recursion, and non-recursion allocation bugs.",
  "id": "GHSA-vh6j-jc39-fggf",
  "modified": "2026-06-25T18:46:24Z",
  "published": "2026-06-25T18:46:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48506"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.