Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

615 vulnerabilities reference this CWE, most recent first.

GHSA-X2G3-V8H5-XMCW

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2023-10-24 21:30
VLAI
Details

A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '' substring.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-11T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a \u0027\u003cuse ... xlink:href=\"#identifier\"\u003e\u0027 substring.",
  "id": "GHSA-x2g3-v8h5-xmcw",
  "modified": "2023-10-24T21:30:18Z",
  "published": "2022-05-24T22:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18854"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/zeroday/FG-VD-19-113"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2185438"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/safe-svg/#developers"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9937"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2V6-JX2X-C364

Vulnerability from github – Published: 2025-09-12 18:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

block: avoid possible overflow for chunk_sectors check in blk_stack_limits()

In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value.

However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int which holds chunk_sectors, so change the check to be based on sectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39795"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-12T16:15:33Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: avoid possible overflow for chunk_sectors check in blk_stack_limits()\n\nIn blk_stack_limits(), we check that the t-\u003echunk_sectors value is a\nmultiple of the t-\u003ephysical_block_size value.\n\nHowever, by finding the chunk_sectors value in bytes, we may overflow\nthe unsigned int which holds chunk_sectors, so change the check to be\nbased on sectors.",
  "id": "GHSA-x2v6-jx2x-c364",
  "modified": "2026-07-14T15:31:27Z",
  "published": "2025-09-12T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39795"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/14beeef4aafecc8a41de534e31fb5be94739392f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31f2f080898e50cbf2bae62d35f9f2a997547b38"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b9d69f0e68aa6b0acd9791c45d445154a8c66e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/418751910044649baa2b424ea31cce3fc4dcc253"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/448dfecc7ff807822ecd47a5c052acedca7d09e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/46aa80ef49594ed7de685ecbc673b291e9a2c159"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e276e6ff9aacf8901b9c3265c3cdd2568c9fff2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b3ce085b52e674290cbfdd07034e7653ffbe4dc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X4FP-GJPV-C6R5

Vulnerability from github – Published: 2025-12-01 12:30 – Updated: 2025-12-01 15:30
VLAI
Details

Uncontrolled recursion in the json2pb component in Apache bRPC (version < 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.

Root Cause: The bRPC json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.

Affected Scenarios: Use bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use JsonToProtoMessage to convert json from untrusted input.

How to Fix: (Choose one of the following options)  1. Upgrade bRPC to version 1.15.0, which fixes this issue. 2. Apply this patch: https://github.com/apache/brpc/pull/3099

Note: No matter which option

you choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions: 

ProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.

If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T11:15:48Z",
    "severity": "HIGH"
  },
  "details": "Uncontrolled recursion in the json2pb component in Apache bRPC (version \u003c 1.15.0) on all platforms allows remote attackers to make the server crash via sending deep recursive json data.\n\nRoot Cause:\nThe bRPC\u00a0json2pb component uses rapidjson to parse json data from the network. The rapidjson parser uses a recursive parsing method by default. If the input json has a large depth of recursive structure, the parser function may run into stack overflow.\n\nAffected Scenarios:\nUse bRPC server with protobuf message to serve http+json requests from untrusted network. Or directly use\u00a0JsonToProtoMessage to convert json from\u00a0untrusted input.\n\n\n\nHow to Fix: \n(Choose one of the following options)\u00a0\n1. Upgrade bRPC to version 1.15.0, which fixes this issue.\n2. Apply this patch:  https://github.com/apache/brpc/pull/3099 \n\n\n\nNote:\nNo matter which option \n\nyou choose, you should know that the fix introduces a recursion depth limit with default value 100. It affects these functions:\u00a0\n\nProtoMessageToJson, ProtoMessageToProtoJson, JsonToProtoMessage, and ProtoJsonToProtoMessage.\n\n If your requests contain json or protobuf messages that have a depth exceeding the limit, the request will be failed after applying the fix. You can modify the gflag json2pb_max_recursion_depth to change the limit.",
  "id": "GHSA-x4fp-gjpv-c6r5",
  "modified": "2025-12-01T15:30:17Z",
  "published": "2025-12-01T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59789"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/ozmcsztcpxn61jxod8jo8q46jo0oc1zx"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/01/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6F6-J278-6544

Vulnerability from github – Published: 2025-10-03 18:31 – Updated: 2025-10-03 18:31
VLAI
Details

When the module renders a Svg file that contains a element, it might end up rendering it recursively leading to stack overflow DoS

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-10728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T16:16:16Z",
    "severity": "CRITICAL"
  },
  "details": "When the module renders a Svg file that contains a \u003cpattern\u003e element, it might end up rendering it recursively\u00a0leading to stack overflow DoS",
  "id": "GHSA-x6f6-j278-6544",
  "modified": "2025-10-03T18:31:27Z",
  "published": "2025-10-03T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10728"
    },
    {
      "type": "WEB",
      "url": "https://codereview.qt-project.org/c/qt/qtsvg/+/654200"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:H/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X8HV-RF6J-VCR5

Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2023-02-28 15:30
VLAI
Details

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-09T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.",
  "id": "GHSA-x8hv-rf6j-vcr5",
  "modified": "2023-02-28T15:30:24Z",
  "published": "2022-05-24T16:55:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kkos/oniguruma/issues/147"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kkos/oniguruma/compare/v6.9.2...v6.9.3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZW47MSFZ6WYOAOFXHBDGU4LYACFRKC2Y"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4460-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9C7-5H6G-HQ8Q

Vulnerability from github – Published: 2026-06-01 21:30 – Updated: 2026-07-09 13:38
VLAI
Summary
Spring Cloud Function Context has Uncontrolled Recursion
Details

Under infinite recursion in the routing layer, request-handling can cause OOM error.

Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-function-context"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-function-context"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-function-context"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.10"
            },
            {
              "last_affected": "3.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-function-context"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "last_affected": "4.1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.springframework.cloud:spring-cloud-function-context"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "last_affected": "4.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:38:38Z",
    "nvd_published_at": "2026-06-01T19:16:39Z",
    "severity": "MODERATE"
  },
  "details": "Under infinite recursion in the routing layer, request-handling can cause OOM error.\n\nAffected Spring Products and Versions:\nSpring Cloud Function 3.2.x: versions prior to 3.2.16\nSpring Cloud Function 4.1.x: versions prior to 4.1.10\nSpring Cloud Function 4.2.x: versions prior to 4.2.6\nSpring Cloud Function 4.3.x: versions prior to 4.3.3\nSpring Cloud Function 5.0.x: versions prior to 5.0.2\nOlder, unsupported versions are also affected.",
  "id": "GHSA-x9c7-5h6g-hq8q",
  "modified": "2026-07-09T13:38:38Z",
  "published": "2026-06-01T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spring-cloud/spring-cloud-function/commit/6bcd55803c5a2ce0adec794fee1e03c2fac36cf9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spring-cloud/spring-cloud-function"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-40989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spring Cloud Function Context has Uncontrolled Recursion"
}

GHSA-X9PV-H28P-55W8

Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:01
VLAI
Details

compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30974"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-18T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "compile in regexp.c in Artifex MuJS through 1.2.0 results in stack consumption because of unlimited recursion, a different issue than CVE-2019-11413.",
  "id": "GHSA-x9pv-h28p-55w8",
  "modified": "2022-05-27T00:01:29Z",
  "published": "2022-05-19T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30974"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ccxvii/mujs/issues/162"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MC6PLHTXHZ7GW7QQGTLBHLXL47UHTHXO"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5291"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCX6-VP38-8HR5

Vulnerability from github – Published: 2026-03-24 22:15 – Updated: 2026-07-06 13:09
VLAI
Summary
Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException
Details

Summary

The object.to_json builtin function in Scriban performs recursive JSON serialization via an internal WriteValue() static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing object passed to object.to_json triggers unbounded recursion, causing a StackOverflowException that terminates the hosting .NET process. This is a fatal, unrecoverable crash — StackOverflowException cannot be caught by user code in .NET.

Details

The vulnerable code is the WriteValue() static local function at src/Scriban/Functions/ObjectFunctions.cs:494:

static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value)
{
    var type = value?.GetType() ?? typeof(object);
    if (value is null || value is string || value is bool ||
        type.IsPrimitiveOrDecimal() || value is IFormattable)
    {
        JsonSerializer.Serialize(writer, value, type);
    }
    else if (value is IList || type.IsArray) {
        writer.WriteStartArray();
        foreach (var x in context.ToList(context.CurrentSpan, value))
        {
            WriteValue(context, writer, x);  // recursive, no depth check
        }
        writer.WriteEndArray();
    }
    else {
        writer.WriteStartObject();
        var accessor = context.GetMemberAccessor(value);
        foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value))
        {
            if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue))
            {
                writer.WritePropertyName(member);
                WriteValue(context, writer, memberValue);  // recursive, no depth check
            }
        }
        writer.WriteEndObject();
    }
}

This function has none of the safety mechanisms present in other recursive paths:

  • ObjectToString() at TemplateContext.Helpers.cs:98 checks ObjectRecursionLimit (default 20)
  • EnterRecursive() at TemplateContext.cs:957 calls RuntimeHelpers.EnsureSufficientExecutionStack()
  • CheckAbort() at TemplateContext.cs:464 also calls EnsureSufficientExecutionStack()

The WriteValue() function bypasses all of these because it is a static local function that only takes the TemplateContext for member access — it never calls EnterRecursive(), never checks ObjectRecursionLimit, and never calls EnsureSufficientExecutionStack().

Execution flow:

  1. Template creates a ScriptObject: {{ x = {} }}
  2. Sets a self-reference: x.self = x — stores a reference in ScriptObject.Store dictionary
  3. Pipes to object.to_json: x | object.to_json → calls ToJson() at line 477
  4. ToJson() calls WriteValue(context, writer, value) at line 488
  5. WriteValue enters the else branch (line 515), gets members via accessor, finds "self"
  6. TryGetValue returns x itself, WriteValue recurses with the same object — infinite loop
  7. StackOverflowException is thrown — fatal, cannot be caught, process terminates

PoC

{{ x = {}; x.self = x; x | object.to_json }}

In a hosting application:

using Scriban;

// This will crash the entire process with StackOverflowException
var template = Template.Parse("{{ x = {}; x.self = x; x | object.to_json }}");
var result = template.Render(); // FATAL: process terminates here

Even without circular references, deeply nested objects can exhaust the stack since no depth limit is enforced:

{{ a = {}
   b = {inner: a}
   c = {inner: b}
   d = {inner: c}
   # ... continue nesting ...
   result = deepest | object.to_json }}

Impact

  • Process crash DoS: Any application embedding Scriban for user-provided templates (CMS platforms, email template engines, report generators, static site generators) can be crashed by a single malicious template. The crash is unrecoverable — StackOverflowException terminates the .NET process.
  • No try/catch protection possible: Unlike most exceptions, StackOverflowException cannot be caught by application code. The hosting application cannot wrap template.Render() in a try/catch to survive this.
  • No authentication required: object.to_json is a default builtin function (registered in BuiltinFunctions.cs), available in all Scriban templates unless explicitly removed.
  • Trivial to exploit: The PoC is a single line of template code.

Recommended Fix

Add a depth counter parameter to WriteValue() and check it against ObjectRecursionLimit, consistent with how ObjectToString is protected. Also add EnsureSufficientExecutionStack() as a safety net:

static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value, int depth = 0)
{
    if (context.ObjectRecursionLimit != 0 && depth > context.ObjectRecursionLimit)
    {
        throw new ScriptRuntimeException(context.CurrentSpan,
            $"Exceeding object recursion limit `{context.ObjectRecursionLimit}` in object.to_json");
    }

    try
    {
        RuntimeHelpers.EnsureSufficientExecutionStack();
    }
    catch (InsufficientExecutionStackException)
    {
        throw new ScriptRuntimeException(context.CurrentSpan,
            "Exceeding recursive depth limit in object.to_json, near to stack overflow");
    }

    var type = value?.GetType() ?? typeof(object);
    if (value is null || value is string || value is bool ||
        type.IsPrimitiveOrDecimal() || value is IFormattable)
    {
        JsonSerializer.Serialize(writer, value, type);
    }
    else if (value is IList || type.IsArray) {
        writer.WriteStartArray();
        foreach (var x in context.ToList(context.CurrentSpan, value))
        {
            WriteValue(context, writer, x, depth + 1);
        }
        writer.WriteEndArray();
    }
    else {
        writer.WriteStartObject();
        var accessor = context.GetMemberAccessor(value);
        foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value))
        {
            if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue))
            {
                writer.WritePropertyName(member);
                WriteValue(context, writer, memberValue, depth + 1);
            }
        }
        writer.WriteEndObject();
    }
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Scriban"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Scriban.Signed"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T22:15:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `object.to_json` builtin function in Scriban performs recursive JSON serialization via an internal `WriteValue()` static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing object passed to `object.to_json` triggers unbounded recursion, causing a `StackOverflowException` that terminates the hosting .NET process. This is a fatal, unrecoverable crash \u2014 `StackOverflowException` cannot be caught by user code in .NET.\n\n## Details\n\nThe vulnerable code is the `WriteValue()` static local function at `src/Scriban/Functions/ObjectFunctions.cs:494`:\n\n```csharp\nstatic void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value)\n{\n    var type = value?.GetType() ?? typeof(object);\n    if (value is null || value is string || value is bool ||\n        type.IsPrimitiveOrDecimal() || value is IFormattable)\n    {\n        JsonSerializer.Serialize(writer, value, type);\n    }\n    else if (value is IList || type.IsArray) {\n        writer.WriteStartArray();\n        foreach (var x in context.ToList(context.CurrentSpan, value))\n        {\n            WriteValue(context, writer, x);  // recursive, no depth check\n        }\n        writer.WriteEndArray();\n    }\n    else {\n        writer.WriteStartObject();\n        var accessor = context.GetMemberAccessor(value);\n        foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value))\n        {\n            if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue))\n            {\n                writer.WritePropertyName(member);\n                WriteValue(context, writer, memberValue);  // recursive, no depth check\n            }\n        }\n        writer.WriteEndObject();\n    }\n}\n```\n\nThis function has **none** of the safety mechanisms present in other recursive paths:\n\n- `ObjectToString()` at `TemplateContext.Helpers.cs:98` checks `ObjectRecursionLimit` (default 20)\n- `EnterRecursive()` at `TemplateContext.cs:957` calls `RuntimeHelpers.EnsureSufficientExecutionStack()`\n- `CheckAbort()` at `TemplateContext.cs:464` also calls `EnsureSufficientExecutionStack()`\n\nThe `WriteValue()` function bypasses all of these because it is a static local function that only takes the `TemplateContext` for member access \u2014 it never calls `EnterRecursive()`, never checks `ObjectRecursionLimit`, and never calls `EnsureSufficientExecutionStack()`.\n\n**Execution flow:**\n\n1. Template creates a ScriptObject: `{{ x = {} }}`\n2. Sets a self-reference: `x.self = x` \u2014 stores a reference in `ScriptObject.Store` dictionary\n3. Pipes to `object.to_json`: `x | object.to_json` \u2192 calls `ToJson()` at line 477\n4. `ToJson()` calls `WriteValue(context, writer, value)` at line 488\n5. `WriteValue` enters the `else` branch (line 515), gets members via accessor, finds \"self\"\n6. `TryGetValue` returns `x` itself, `WriteValue` recurses with the same object \u2014 infinite loop\n7. `StackOverflowException` is thrown \u2014 **fatal, cannot be caught, process terminates**\n\n## PoC\n\n```scriban\n{{ x = {}; x.self = x; x | object.to_json }}\n```\n\nIn a hosting application:\n\n```csharp\nusing Scriban;\n\n// This will crash the entire process with StackOverflowException\nvar template = Template.Parse(\"{{ x = {}; x.self = x; x | object.to_json }}\");\nvar result = template.Render(); // FATAL: process terminates here\n```\n\nEven without circular references, deeply nested objects can exhaust the stack since no depth limit is enforced:\n\n```scriban\n{{ a = {}\n   b = {inner: a}\n   c = {inner: b}\n   d = {inner: c}\n   # ... continue nesting ...\n   result = deepest | object.to_json }}\n```\n\n## Impact\n\n- **Process crash DoS**: Any application embedding Scriban for user-provided templates (CMS platforms, email template engines, report generators, static site generators) can be crashed by a single malicious template. The crash is unrecoverable \u2014 `StackOverflowException` terminates the .NET process.\n- **No try/catch protection possible**: Unlike most exceptions, `StackOverflowException` cannot be caught by application code. The hosting application cannot wrap `template.Render()` in a try/catch to survive this.\n- **No authentication required**: `object.to_json` is a default builtin function (registered in `BuiltinFunctions.cs`), available in all Scriban templates unless explicitly removed.\n- **Trivial to exploit**: The PoC is a single line of template code.\n\n## Recommended Fix\n\nAdd a depth counter parameter to `WriteValue()` and check it against `ObjectRecursionLimit`, consistent with how `ObjectToString` is protected. Also add `EnsureSufficientExecutionStack()` as a safety net:\n\n```csharp\nstatic void WriteValue(TemplateContext context, Utf8JsonWriter writer, object value, int depth = 0)\n{\n    if (context.ObjectRecursionLimit != 0 \u0026\u0026 depth \u003e context.ObjectRecursionLimit)\n    {\n        throw new ScriptRuntimeException(context.CurrentSpan,\n            $\"Exceeding object recursion limit `{context.ObjectRecursionLimit}` in object.to_json\");\n    }\n\n    try\n    {\n        RuntimeHelpers.EnsureSufficientExecutionStack();\n    }\n    catch (InsufficientExecutionStackException)\n    {\n        throw new ScriptRuntimeException(context.CurrentSpan,\n            \"Exceeding recursive depth limit in object.to_json, near to stack overflow\");\n    }\n\n    var type = value?.GetType() ?? typeof(object);\n    if (value is null || value is string || value is bool ||\n        type.IsPrimitiveOrDecimal() || value is IFormattable)\n    {\n        JsonSerializer.Serialize(writer, value, type);\n    }\n    else if (value is IList || type.IsArray) {\n        writer.WriteStartArray();\n        foreach (var x in context.ToList(context.CurrentSpan, value))\n        {\n            WriteValue(context, writer, x, depth + 1);\n        }\n        writer.WriteEndArray();\n    }\n    else {\n        writer.WriteStartObject();\n        var accessor = context.GetMemberAccessor(value);\n        foreach (var member in accessor.GetMembers(context, context.CurrentSpan, value))\n        {\n            if (accessor.TryGetValue(context, context.CurrentSpan, value, member, out var memberValue))\n            {\n                writer.WritePropertyName(member);\n                WriteValue(context, writer, memberValue, depth + 1);\n            }\n        }\n        writer.WriteEndObject();\n    }\n}\n```",
  "id": "GHSA-xcx6-vp38-8hr5",
  "modified": "2026-07-06T13:09:17Z",
  "published": "2026-03-24T22:15:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scriban/scriban/security/advisories/GHSA-xcx6-vp38-8hr5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scriban/scriban"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException"
}

GHSA-XF55-65PG-X58P

Vulnerability from github – Published: 2024-01-03 09:30 – Updated: 2025-11-04 00:30
VLAI
Details

DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-03T08:15:11Z",
    "severity": "HIGH"
  },
  "details": "DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-xf55-65pg-x58p",
  "modified": "2025-11-04T00:30:42Z",
  "published": "2024-01-03T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0211"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/19557"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2024-05.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHJ5-RVCV-CCCG

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19
VLAI
Details

ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-04T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.",
  "id": "GHSA-xhj5-rvcv-cccg",
  "modified": "2022-05-24T17:19:18Z",
  "published": "2022-05-24T17:19:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13800"
    },
    {
      "type": "WEB",
      "url": "https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202011-09"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200717-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4467-1"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2020/06/04/2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.