CWE-834
DiscouragedExcessive Iteration
Abstraction: Class · Status: Incomplete
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
124 vulnerabilities reference this CWE, most recent first.
GHSA-C945-CQJ5-WFV6
Vulnerability from github – Published: 2023-07-31 18:30 – Updated: 2024-06-21 21:33Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.
An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
{
"affected": [],
"aliases": [
"CVE-2023-3817"
],
"database_specific": {
"cwe_ids": [
"CWE-606",
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-31T16:15:10Z",
"severity": "MODERATE"
},
"details": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"id": "GHSA-c945-cqj5-wfv6",
"modified": "2024-06-21T21:33:53Z",
"published": "2023-07-31T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202402-08"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230818-0014"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231027-0008"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240621-0006"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20230731.txt"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/31/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/22/11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/22/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/06/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CHVF-MX8G-HJH2
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A "stall on CPU" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.
{
"affected": [],
"aliases": [
"CVE-2021-28950"
],
"database_specific": {
"cwe_ids": [
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-20T20:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A \"stall on CPU\" can occur because a retry loop continually finds the same bad inode, aka CID-775c5033a0d1.",
"id": "GHSA-chvf-mx8g-hjh2",
"modified": "2022-05-24T17:44:58Z",
"published": "2022-05-24T17:44:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28950"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=775c5033a0d164622d9d10dd0f0a5531639ed3ed"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FB6LUXPEIRLZH32YXWZVEZAD4ZL6SDK2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRTPQE73ANG7D6M4L4PK5ZQDPO4Y2FVD"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CP8Q-FXV9-RFJ5
Vulnerability from github – Published: 2023-07-12 03:30 – Updated: 2024-04-04 06:00An issue was discovered in function get_gnu_verneed in rizinorg Rizin prior to 0.5.0 verneed_entry allows attackers to cause a denial of service via crafted elf file.
{
"affected": [],
"aliases": [
"CVE-2023-30226"
],
"database_specific": {
"cwe_ids": [
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-12T02:15:09Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in function get_gnu_verneed in rizinorg Rizin prior to 0.5.0 verneed_entry allows attackers to cause a denial of service via crafted elf file.",
"id": "GHSA-cp8q-fxv9-rfj5",
"modified": "2024-04-04T06:00:54Z",
"published": "2023-07-12T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30226"
},
{
"type": "WEB",
"url": "https://github.com/rizinorg/rizin/commit/a6d89de0d44e776f9bccc3a168fdc79f604e14ed"
},
{
"type": "WEB",
"url": "https://github.com/ifyGecko/CVE-2023-30226"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CRP8-6V6M-QVRP
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF check might cause huge CPU and memory consumption. When a crafted CINE file, which claims a large "duration" field in the header but does not contain sufficient backing data, is provided, the image-offset parsing loop would consume huge CPU and memory resources, since there is no EOF check inside the loop.
{
"affected": [],
"aliases": [
"CVE-2017-14059"
],
"database_specific": {
"cwe_ids": [
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-31T15:29:00Z",
"severity": "HIGH"
},
"details": "In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF check might cause huge CPU and memory consumption. When a crafted CINE file, which claims a large \"duration\" field in the header but does not contain sufficient backing data, is provided, the image-offset parsing loop would consume huge CPU and memory resources, since there is no EOF check inside the loop.",
"id": "GHSA-crp8-6v6m-qvrp",
"modified": "2022-05-13T01:43:18Z",
"published": "2022-05-13T01:43:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14059"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/commit/7e80b63ecd259d69d383623e75b318bf2bd491f6"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3996"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100631"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CRVW-8J55-4XXV
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18An issue was discovered in Free Lossless Image Format (FLIF) 0.3. An attacker can trigger a long loop in image_load_pnm in image/image-pnm.cpp.
{
"affected": [],
"aliases": [
"CVE-2018-11507"
],
"database_specific": {
"cwe_ids": [
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-28T04:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Free Lossless Image Format (FLIF) 0.3. An attacker can trigger a long loop in image_load_pnm in image/image-pnm.cpp.",
"id": "GHSA-crvw-8j55-4xxv",
"modified": "2022-05-13T01:18:56Z",
"published": "2022-05-13T01:18:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11507"
},
{
"type": "WEB",
"url": "https://github.com/FLIF-hub/FLIF/issues/509"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F8R4-MF27-RF7M
Vulnerability from github – Published: 2025-09-30 18:30 – Updated: 2025-10-06 20:59Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "financejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-56571"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770",
"CWE-834"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-30T21:59:58Z",
"nvd_published_at": "2025-09-30T16:15:52Z",
"severity": "HIGH"
},
"details": "Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function\u2019s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.",
"id": "GHSA-f8r4-mf27-rf7m",
"modified": "2025-10-06T20:59:43Z",
"published": "2025-09-30T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56571"
},
{
"type": "PACKAGE",
"url": "https://github.com/ebradyjobory/finance.js"
},
{
"type": "WEB",
"url": "https://medium.com/@nakah_/cve-2025-56571-and-cve-2025-56572-denial-of-service-vulnerabilities-in-finance-js-78f8b399f53b"
},
{
"type": "WEB",
"url": "https://raw.githack.com/ebradyjobory/finance.js/6d571ea2a86d08491ceb584e292e9b76b0a60636/finance.js"
},
{
"type": "WEB",
"url": "http://financejs.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Finance.js vulnerable to DoS via the IRR function\u2019s depth parameter"
}
GHSA-FJF3-QW96-MMW3
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted mp4 file.
{
"affected": [],
"aliases": [
"CVE-2017-9255"
],
"database_specific": {
"cwe_ids": [
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-27T12:29:00Z",
"severity": "HIGH"
},
"details": "The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted mp4 file.",
"id": "GHSA-fjf3-qw96-mmw3",
"modified": "2022-05-13T01:47:52Z",
"published": "2022-05-13T01:47:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9255"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Jun/32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FWF5-79MR-RPVF
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42The ReadOneJNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a malformed JNG file.
{
"affected": [],
"aliases": [
"CVE-2017-11505"
],
"database_specific": {
"cwe_ids": [
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-21T16:29:00Z",
"severity": "HIGH"
},
"details": "The ReadOneJNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a malformed JNG file.",
"id": "GHSA-fwf5-79mr-rpvf",
"modified": "2022-05-13T01:42:22Z",
"published": "2022-05-13T01:42:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11505"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/526"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867824"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8P6-P27C-52FX
Vulnerability from github – Published: 2023-11-03 09:32 – Updated: 2023-11-03 19:47In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.parsson:project"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.parsson:project"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4043"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-834"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-03T19:47:25Z",
"nvd_published_at": "2023-11-03T09:15:13Z",
"severity": "MODERATE"
},
"details": "In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.\n\n\nTo mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.\n\n\n",
"id": "GHSA-g8p6-p27c-52fx",
"modified": "2023-11-03T19:47:25Z",
"published": "2023-11-03T09:32:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4043"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-ee4j/parsson/pull/100"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Eclipse Parsson Denial of Service vulnerability"
}
GHSA-GM89-9QF3-7P24
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4. A samba user could send an empty UDP packet to cause the samba server to crash.
{
"affected": [],
"aliases": [
"CVE-2020-14303"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-834"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the AD DC NBT server in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4. A samba user could send an empty UDP packet to cause the samba server to crash.",
"id": "GHSA-gm89-9qf3-7p24",
"modified": "2022-05-24T17:22:25Z",
"published": "2022-05-24T17:22:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14303"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1851298;"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6YLNQ5GRXUKYRUAOFZ4DUBVN4SMTL6Q2"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-15"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200709-0003"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4454-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4454-2"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2020-14303.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00030.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00054.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.