CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
615 vulnerabilities reference this CWE, most recent first.
GHSA-W5XG-24X3-2465
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process.
This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25031700.
The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.
{
"affected": [],
"aliases": [
"CVE-2025-7005"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:48Z",
"severity": "MODERATE"
},
"details": "Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process.\n\nThis issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25031700.\n\n\n\nThe affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream.",
"id": "GHSA-w5xg-24x3-2465",
"modified": "2026-06-13T00:34:30Z",
"published": "2026-06-13T00:34:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7005"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W848-9V8P-7JFR
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the dissect_mp4_box function in epan/dissectors/file-mp4.c.
{
"affected": [],
"aliases": [
"CVE-2017-9616"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-14T20:29:00Z",
"severity": "MODERATE"
},
"details": "In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the dissect_mp4_box function in epan/dissectors/file-mp4.c.",
"id": "GHSA-w848-9v8p-7jfr",
"modified": "2022-05-13T01:48:01Z",
"published": "2022-05-13T01:48:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9616"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99085"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038706"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WCJX-V2WJ-XG87
Vulnerability from github – Published: 2026-03-26 22:27 – Updated: 2026-03-26 22:27Pin vulnerable version of pyasn, see: See: https://github.com/advisories/GHSA-jr27-m4p2-rc6r
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.1.65"
},
"package": {
"ecosystem": "PyPI",
"name": "c2cciutils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.66"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:27:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Pin vulnerable version of pyasn, see: See: https://github.com/advisories/GHSA-jr27-m4p2-rc6r",
"id": "GHSA-wcjx-v2wj-xg87",
"modified": "2026-03-26T22:27:12Z",
"published": "2026-03-26T22:27:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/camptocamp/c2cciutils/security/advisories/GHSA-wcjx-v2wj-xg87"
},
{
"type": "WEB",
"url": "https://github.com/camptocamp/c2cciutils/commit/1ab415014817d7d1cf09ad56cc8a7dec2a1108d8"
},
{
"type": "PACKAGE",
"url": "https://github.com/camptocamp/c2cciutils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "C2C CI utils is vulnerable to DoS via pyasn dependency (CVE-2026-30922)"
}
GHSA-WCPC-WJ8M-HJX6
Vulnerability from github – Published: 2026-06-15 17:30 – Updated: 2026-06-15 17:30Summary
protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject() conversion and the custom google.protobuf.Any JSON conversion path.
A crafted protobuf binary payload containing deeply nested Any values could cause the JavaScript call stack to be exhausted during conversion to JSON.
Impact
An attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.
This affects applications that decode untrusted protobuf input containing google.protobuf.Any values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through JSON.stringify(message), Message#toJSON(), or Type.toObject(message, { json: true }).
Applications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.
Preconditions
- The application must decode protobuf binary data influenced by an attacker.
- The application schema must include
google.protobuf.Any, and the referencedtype_urlmust resolve to a message type in the loaded protobuf root. - The application must convert the decoded message to JSON or a plain object through an affected conversion path.
- The crafted input must contain deeply nested
Anyvalues that are expanded during conversion.
Workarounds
Avoid converting untrusted protobuf messages containing google.protobuf.Any values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested Any payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted Any values, or isolate message conversion in a process that can be safely restarted.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.6.0"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.4.0"
},
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48712"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:30:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nprotobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated `toObject()` conversion and the custom `google.protobuf.Any` JSON conversion path.\n\nA crafted protobuf binary payload containing deeply nested `Any` values could cause the JavaScript call stack to be exhausted during conversion to JSON.\n\n## Impact\n\nAn attacker who can provide protobuf binary data decoded by an application may be able to crash the process or otherwise cause message conversion to fail with a stack overflow.\n\nThis affects applications that decode untrusted protobuf input containing `google.protobuf.Any` values and then convert decoded messages to JSON or plain objects with JSON conversion enabled, for example through `JSON.stringify(message)`, `Message#toJSON()`, or `Type.toObject(message, { json: true })`.\n\nApplications that only decode and re-encode protobuf binary data without converting decoded messages to JSON are not directly affected by this issue.\n\n## Preconditions\n\n* The application must decode protobuf binary data influenced by an attacker.\n* The application schema must include `google.protobuf.Any`, and the referenced `type_url` must resolve to a message type in the loaded protobuf root.\n* The application must convert the decoded message to JSON or a plain object through an affected conversion path.\n* The crafted input must contain deeply nested `Any` values that are expanded during conversion.\n\n## Workarounds\n\nAvoid converting untrusted protobuf messages containing `google.protobuf.Any` values to JSON with affected versions. If immediate upgrade is not possible, reject or limit messages with deeply nested `Any` payloads at an outer protocol boundary where feasible, avoid JSON conversion of untrusted `Any` values, or isolate message conversion in a process that can be safely restarted.",
"id": "GHSA-wcpc-wj8m-hjx6",
"modified": "2026-06-15T17:30:15Z",
"published": "2026-06-15T17:30:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-wcpc-wj8m-hjx6"
},
{
"type": "PACKAGE",
"url": "https://github.com/protobufjs/protobuf.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "protobufjs: Denial of service through unbounded Any expansion during JSON conversion"
}
GHSA-WF5X-CR3R-XR77
Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-22 16:32This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10761"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T18:36:08Z",
"nvd_published_at": "2022-07-13T09:15:00Z",
"severity": "HIGH"
},
"details": "This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the \"sandboxed\" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.",
"id": "GHSA-wf5x-cr3r-xr77",
"modified": "2022-07-22T16:32:45Z",
"published": "2022-07-14T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10761"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/issues/197"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90"
},
{
"type": "WEB",
"url": "https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-VM2-473188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "vm2 before 3.6.11 vulnerable to sandbox escape"
}
GHSA-WFJV-JM8J-274F
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2026-05-12 12:31A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.
{
"affected": [],
"aliases": [
"CVE-2019-13103"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-29T15:15:00Z",
"severity": "LOW"
},
"details": "A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.",
"id": "GHSA-wfjv-jm8j-274f",
"modified": "2026-05-12T12:31:26Z",
"published": "2022-05-24T16:51:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13103"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-577017.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-618620.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-618620.pdf"
},
{
"type": "WEB",
"url": "https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75"
},
{
"type": "WEB",
"url": "https://github.com/u-boot/u-boot/commits/master"
},
{
"type": "WEB",
"url": "https://lists.denx.de/pipermail/u-boot/2019-July/375512.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFR3-XJ75-PFWH
Vulnerability from github – Published: 2026-06-25 21:22 – Updated: 2026-06-25 21:22Summary
Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths.
This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step.
Impact
Applications are affected when they deserialize untrusted payloads into object graphs containing [Union]-decorated interfaces or abstract classes handled by DynamicUnionResolver.
An attacker can provide a union payload with an unknown key and a deeply nested value. Because the generated union formatter does not enter the depth accounting scope before skipping or recursively processing the value, configured depth limits can be bypassed. In combination with recursive skip behavior, this can terminate the process with an uncatchable StackOverflowException.
This issue is narrower than the general TrySkip() recursion issue because it specifically concerns a formatter-generation path that fails to count union nesting. It remains independently fixable because the emitted IL should mirror the depth-step behavior used by source-generated union formatters and dynamic object formatters.
Affected components
- Package:
MessagePack - API:
DynamicUnionResolver.BuildDeserialize - Data types:
[Union]-decorated interface and abstract class hierarchies handled by the dynamic resolver - Finding ID:
MESSAGEPACKCSHARP-070
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should emit DepthStep and matching reader.Depth-- cleanup in dynamic union deserializers, consistent with other recursive formatter implementations.
Workarounds
Patching is recommended.
Until a patched version is available, avoid deserializing untrusted payloads into dynamically resolved [Union] types. Prefer source-generated formatters that include depth checks, where applicable, and enforce outer message-size and schema constraints.
Resources
MESSAGEPACKCSHARP-070: dynamic union deserializer missing depth-step enforcement- CWE-674: Uncontrolled Recursion
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.301"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48513"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:22:52Z",
"nvd_published_at": "2026-06-22T22:16:48Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nRuntime-generated union deserializers emitted by `DynamicUnionResolver` do not call `MessagePackSecurity.DepthStep(ref reader)` and do not decrement `reader.Depth` around recursive deserialization and skip paths.\n\nThis means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls `reader.Skip()` on attacker-controlled data without an enclosing depth step.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads into object graphs containing `[Union]`-decorated interfaces or abstract classes handled by `DynamicUnionResolver`.\n\nAn attacker can provide a union payload with an unknown key and a deeply nested value. Because the generated union formatter does not enter the depth accounting scope before skipping or recursively processing the value, configured depth limits can be bypassed. In combination with recursive skip behavior, this can terminate the process with an uncatchable `StackOverflowException`.\n\nThis issue is narrower than the general `TrySkip()` recursion issue because it specifically concerns a formatter-generation path that fails to count union nesting. It remains independently fixable because the emitted IL should mirror the depth-step behavior used by source-generated union formatters and dynamic object formatters.\n\n## Affected components\n\n- Package: `MessagePack`\n- API: `DynamicUnionResolver.BuildDeserialize`\n- Data types: `[Union]`-decorated interface and abstract class hierarchies handled by the dynamic resolver\n- Finding ID: `MESSAGEPACKCSHARP-070`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should emit `DepthStep` and matching `reader.Depth--` cleanup in dynamic union deserializers, consistent with other recursive formatter implementations.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted payloads into dynamically resolved `[Union]` types. Prefer source-generated formatters that include depth checks, where applicable, and enforce outer message-size and schema constraints.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-070`: dynamic union deserializer missing depth-step enforcement\n- CWE-674: Uncontrolled Recursion",
"id": "GHSA-wfr3-xj75-pfwh",
"modified": "2026-06-25T21:22:52Z",
"published": "2026-06-25T21:22:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-wfr3-xj75-pfwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48513"
},
{
"type": "PACKAGE",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MessagePack-CSharp: DynamicUnionResolver-generated deserializers miss depth enforcement"
}
GHSA-WGH7-7M3C-FX25
Vulnerability from github – Published: 2026-03-19 21:30 – Updated: 2026-07-06 13:06Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOverflowException. In .NET, a StackOverflowException cannot be caught by standard try-catch blocks, resulting in the immediate and ungraceful termination of the entire hosting process.
Scriban utilizes a recursive-descent parser to process template expressions. While the library exposes an ExpressionDepthLimit property in its ParserOptions, this property defaults to null (disabled).
If an application accepts user-supplied templates (or dynamically constructs templates from untrusted input), an attacker can supply thousands of nested parentheses or blocks. As the parser recursively evaluates each nested layer, it consumes thread stack space until it exceeds the limits of the host OS, triggering a fatal crash.
Impact
An attacker can supply crafted input that triggers a StackOverflowException, causing immediate termination of the hosting process and resulting in a Denial of Service. In applications that process untrusted or user-controlled templates (e.g., web applications or APIs), this can be exploited remotely without authentication. The failure is not recoverable, requiring a full process restart and leading to service disruption.
Proof of Concept (PoC)
The following C# code demonstrates the vulnerability. Executing this code will immediately terminate the application process.
using Scriban;
// Creates a deeply nested expression: (((( ... (1) ... ))))
string nested = new string('(', 10000) + "1" + new string(')', 10000);
try {
// This will crash the entire process immediately
Scriban.Template.Parse("{{ " + nested + " }}");
} catch (Exception ex) {
// This catch block will never execute because StackOverflowException
Console.WriteLine("Caught exception: " + ex.Message);
}
Suggested Remediation
Update the ParserOptions constructor (or the internal parser initialization) to set a default value for ExpressionDepthLimit. A limit of 1000 (or even lower, such as 250 or 500) is generally more than enough for legitimate templates while safely preventing stack exhaustion.
public int? ExpressionDepthLimit { get; set; } = 250;
Alternatively, document the risk heavily and warn developers to manually set ExpressionDepthLimit if evaluating untrusted templates, though a secure-by-default approach is strongly preferred.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.8"
},
"package": {
"ecosystem": "NuGet",
"name": "scriban"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Scriban.Signed"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T21:30:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a `StackOverflowException`. In .NET, a `StackOverflowException` cannot be caught by standard `try-catch` blocks, resulting in the immediate and ungraceful termination of the entire hosting process. \n\nScriban utilizes a recursive-descent parser to process template expressions. While the library exposes an `ExpressionDepthLimit` property in its `ParserOptions`, this property defaults to `null` (disabled). \n\nIf an application accepts user-supplied templates (or dynamically constructs templates from untrusted input), an attacker can supply thousands of nested parentheses or blocks. As the parser recursively evaluates each nested layer, it consumes thread stack space until it exceeds the limits of the host OS, triggering a fatal crash.\n\n#### Impact\n\nAn attacker can supply crafted input that triggers a `StackOverflowException`, causing immediate termination of the hosting process and resulting in a Denial of Service. In applications that process untrusted or user-controlled templates (e.g., web applications or APIs), this can be exploited remotely without authentication. The failure is not recoverable, requiring a full process restart and leading to service disruption.\n\n#### Proof of Concept (PoC)\nThe following C# code demonstrates the vulnerability. Executing this code will immediately terminate the application process.\n\n```csharp\nusing Scriban;\n\n// Creates a deeply nested expression: (((( ... (1) ... ))))\nstring nested = new string(\u0027(\u0027, 10000) + \"1\" + new string(\u0027)\u0027, 10000);\n\ntry {\n // This will crash the entire process immediately\n Scriban.Template.Parse(\"{{ \" + nested + \" }}\");\n} catch (Exception ex) {\n // This catch block will never execute because StackOverflowException\n Console.WriteLine(\"Caught exception: \" + ex.Message);\n}\n```\n\n#### Suggested Remediation\n\nUpdate the `ParserOptions` constructor (or the internal parser initialization) to set a default value for `ExpressionDepthLimit`. A limit of `1000` (or even lower, such as `250` or `500`) is generally more than enough for legitimate templates while safely preventing stack exhaustion.\n\n```csharp\npublic int? ExpressionDepthLimit { get; set; } = 250; \n```\nAlternatively, document the risk heavily and warn developers to manually set `ExpressionDepthLimit` if evaluating untrusted templates, though a secure-by-default approach is strongly preferred.",
"id": "GHSA-wgh7-7m3c-fx25",
"modified": "2026-07-06T13:06:02Z",
"published": "2026-03-19T21:30:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/security/advisories/GHSA-wgh7-7m3c-fx25"
},
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/commit/a6fe6074199e5c04f4d29dc8d8e652b24d33e3e4"
},
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/commit/b5ac4bf30459fdc76964e3f751e16f7e96079ea7"
},
{
"type": "PACKAGE",
"url": "https://github.com/scriban/scriban"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)"
}
GHSA-WJM4-HW2R-M766
Vulnerability from github – Published: 2025-04-17 03:30 – Updated: 2025-04-17 03:30VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference='../../../set/set[2]' is used, aka an "insecure deserialization" issue.
{
"affected": [],
"aliases": [
"CVE-2025-43708"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T01:15:46Z",
"severity": "LOW"
},
"details": "VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference=\u0027../../../set/set[2]\u0027 is used, aka an \"insecure deserialization\" issue.",
"id": "GHSA-wjm4-hw2r-m766",
"modified": "2025-04-17T03:30:30Z",
"published": "2025-04-17T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43708"
},
{
"type": "WEB",
"url": "https://github.com/Gelcon/PoC-of-VisiCut2_1-Stack-Overflow-Vul"
},
{
"type": "WEB",
"url": "https://github.com/t-oster/VisiCut"
},
{
"type": "WEB",
"url": "https://visicut.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WJWR-9F4Q-Q8H8
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-05-24 16:56In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
{
"affected": [],
"aliases": [
"CVE-2019-11779"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more \u0027/\u0027 characters, i.e. the topic hierarchy separator, then a stack overflow will occur.",
"id": "GHSA-wjwr-9f4q-q8h8",
"modified": "2022-05-24T16:56:28Z",
"published": "2022-05-24T16:56:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11779"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWNVTFA2CKXERXRYPYE2YFTZP4GNBGYY"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Nov/25"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4137-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4570"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.