CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
615 vulnerabilities reference this CWE, most recent first.
GHSA-VJJ7-39VR-35R3
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2026-03-06 18:31Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
{
"affected": [],
"aliases": [
"CVE-2022-30630"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T20:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.",
"id": "GHSA-vjj7-39vr-35r3",
"modified": "2026-03-06T18:31:09Z",
"published": "2022-08-11T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630"
},
{
"type": "WEB",
"url": "https://go.dev/cl/417065"
},
{
"type": "WEB",
"url": "https://go.dev/issue/53415"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0527"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VPPJ-Q42F-96W5
Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:01Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
{
"affected": [],
"aliases": [
"CVE-2022-1771"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"id": "GHSA-vppj-q42f-96w5",
"modified": "2022-05-27T00:01:12Z",
"published": "2022-05-19T00:00:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1771"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/faa74175-5317-4b71-a363-dfc39094ecbb"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-32"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VR34-263X-7Q3R
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.
{
"affected": [],
"aliases": [
"CVE-2021-28903"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-20T19:15:00Z",
"severity": "HIGH"
},
"details": "A stack overflow in libyang \u003c= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.",
"id": "GHSA-vr34-263x-7q3r",
"modified": "2022-05-24T19:02:50Z",
"published": "2022-05-24T19:02:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28903"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/issues/1453"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-54"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VRM3-V8W6-8742
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The issue is a stack exhaustion problem within the JavaScript API, where the computation does not correctly control the amount of recursion that can happen with respect to system resources.
{
"affected": [],
"aliases": [
"CVE-2017-16419"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-09T06:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The issue is a stack exhaustion problem within the JavaScript API, where the computation does not correctly control the amount of recursion that can happen with respect to system resources.",
"id": "GHSA-vrm3-v8w6-8742",
"modified": "2022-05-13T01:44:05Z",
"published": "2022-05-13T01:44:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16419"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb17-36.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101817"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039791"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VVX9-XFCG-G62V
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-01 18:31In the Linux kernel, the following vulnerability has been resolved:
scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.
Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.
{
"affected": [],
"aliases": [
"CVE-2026-46149"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:30Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer. snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes. The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here.",
"id": "GHSA-vvx9-xfcg-g62v",
"modified": "2026-06-01T18:31:38Z",
"published": "2026-05-28T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46149"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/12f2201a56957ba020392223a7393a5eba080c1b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3cc9d490c207d57a289054397349f6f8c90354e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db0a4759d62cad4ff891e2d81ae4be73bb57f4a4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W239-58X2-Q8P5
Vulnerability from github – Published: 2026-05-07 02:07 – Updated: 2026-06-08 23:47The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic).
For DAG-CBOR, a payload of approximately 2 MB, consisting of repeated 0x81 (array-of-1) bytes followed by a terminator, produces around 2 million recursion frames and reliably exhausts Go's default 1 GB goroutine stack. The existing allocation budget does not prevent this: each nested collection header costs only a handful of budget units, so the stack is exhausted before the budget is. DAG-JSON has equivalent exposure via [[[...]]]-style payloads; it has no budget system and is therefore unprotected against recursion depth as well.
Schema-free decoding (using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding bounds nesting only when the schema itself is non-recursive and contains no fields typed as Any; schemas with recursive type references or any Any-typed fields permit unconstrained nesting at those points.
The fix adds a configurable MaxDepth option to both decoders, defaulting to 1024 nested levels. The decoder returns ErrDecodeDepthExceeded when a payload nests beyond the limit. Well-formed IPLD data rarely approaches this depth in practice; the default is generous for legitimate use while preventing stack exhaustion.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ipld/go-ipld-prime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.23.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42328"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T02:07:21Z",
"nvd_published_at": "2026-05-27T18:16:22Z",
"severity": "MODERATE"
},
"details": "The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic).\n\nFor DAG-CBOR, a payload of approximately 2 MB, consisting of repeated `0x81` (array-of-1) bytes followed by a terminator, produces around 2 million recursion frames and reliably exhausts Go\u0027s default 1 GB goroutine stack. The existing allocation budget does not prevent this: each nested collection header costs only a handful of budget units, so the stack is exhausted before the budget is. DAG-JSON has equivalent exposure via `[[[...]]]`-style payloads; it has no budget system and is therefore unprotected against recursion depth as well.\n\nSchema-free decoding (using `basicnode.Prototype.Any`) allows arbitrary nesting depth. Schema-bound decoding bounds nesting only when the schema itself is non-recursive and contains no fields typed as `Any`; schemas with recursive type references or any `Any`-typed fields permit unconstrained nesting at those points.\n\nThe fix adds a configurable `MaxDepth` option to both decoders, defaulting to 1024 nested levels. The decoder returns `ErrDecodeDepthExceeded` when a payload nests beyond the limit. Well-formed IPLD data rarely approaches this depth in practice; the default is generous for legitimate use while preventing stack exhaustion.",
"id": "GHSA-w239-58x2-q8p5",
"modified": "2026-06-08T23:47:37Z",
"published": "2026-05-07T02:07:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-w239-58x2-q8p5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42328"
},
{
"type": "PACKAGE",
"url": "https://github.com/ipld/go-ipld-prime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "go-ipld-prime\u0027s DAG-CBOR and DAG-JSON decoders have unbounded recursion depth"
}
GHSA-W2GJ-35CX-6H66
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause core dump.
{
"affected": [],
"aliases": [
"CVE-2021-22454"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-28T13:15:00Z",
"severity": "MODERATE"
},
"details": "A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause core dump.",
"id": "GHSA-w2gj-35cx-6h66",
"modified": "2022-05-24T19:19:09Z",
"published": "2022-05-24T19:19:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22454"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202107-0000001123874808"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2PR-2387-VXGH
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.
{
"affected": [],
"aliases": [
"CVE-2020-12662"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an \"NXNSAttack\" issue. This is triggered by random subdomains in the NSDNAME in NS records.",
"id": "GHSA-w2pr-2387-vxgh",
"modified": "2022-05-24T17:18:07Z",
"published": "2022-05-24T17:18:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12662"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I"
},
{
"type": "WEB",
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200702-0006"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4374-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4694"
},
{
"type": "WEB",
"url": "https://www.synology.com/security/advisory/Synology_SA_20_12"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html"
},
{
"type": "WEB",
"url": "http://www.nxnsattack.com"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/05/19/5"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W3VF-7FPC-9FWW
Vulnerability from github – Published: 2021-12-08 00:00 – Updated: 2025-07-03 21:31ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
{
"affected": [],
"aliases": [
"CVE-2021-42717"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-07T22:15:00Z",
"severity": "HIGH"
},
"details": "ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.",
"id": "GHSA-w3vf-7fpc-9fww",
"modified": "2025-07-03T21:31:20Z",
"published": "2021-12-08T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42717"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5023"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W5MM-9FFH-GJVJ
Vulnerability from github – Published: 2024-01-03 09:30 – Updated: 2024-01-03 09:30Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2024-0210"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-03T08:15:11Z",
"severity": "HIGH"
},
"details": "Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-w5mm-9ffh-gjvj",
"modified": "2024-01-03T09:30:30Z",
"published": "2024-01-03T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0210"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/19504"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2024-04.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.