Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1052 vulnerabilities reference this CWE, most recent first.

GHSA-PQFR-X96J-G24P

Vulnerability from github – Published: 2026-03-09 15:30 – Updated: 2026-03-10 18:31
VLAI
Details

GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-09T15:15:50Z",
    "severity": "MODERATE"
  },
  "details": "GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis.",
  "id": "GHSA-pqfr-x96j-g24p",
  "modified": "2026-03-10T18:31:16Z",
  "published": "2026-03-09T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69647"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33640"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQM4-6J9H-7C39

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-16T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file.",
  "id": "GHSA-pqm4-6j9h-7c39",
  "modified": "2022-05-13T01:23:17Z",
  "published": "2022-05-13T01:23:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/1095"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3681-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRFM-CHH2-JJ5H

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

In Miniz 2.0.7, tinfl_decompress in miniz_tinfl.c has an infinite loop because sym2 and counter can both remain equal to zero.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-12913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-27T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Miniz 2.0.7, tinfl_decompress in miniz_tinfl.c has an infinite loop because sym2 and counter can both remain equal to zero.",
  "id": "GHSA-prfm-chh2-jj5h",
  "modified": "2022-05-13T01:49:41Z",
  "published": "2022-05-13T01:49:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/richgel999/miniz/issues/90"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVHQ-7XGC-XMJM

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1999012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-23T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially crafted PVA file has to be provided as input. This vulnerability appears to have been fixed in 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 and later.",
  "id": "GHSA-pvhq-7xgc-xmjm",
  "modified": "2022-05-13T01:50:55Z",
  "published": "2022-05-13T01:50:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999012"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00041.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104896"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVPH-JWXQ-QCXW

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-10 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor.

Add a proper size check to abort the loop for plugging the hole.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()\n\nThe convert_chmap_v3() has a loop with its increment size of\ncs_desc-\u003ewLength, but we forgot to validate cs_desc-\u003ewLength itself,\nwhich may lead to potential endless loop by a malformed descriptor.\n\nAdd a proper size check to abort the loop for plugging the hole.",
  "id": "GHSA-pvph-jwxq-qcxw",
  "modified": "2026-06-10T21:31:24Z",
  "published": "2026-05-28T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46146"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/076d5d13eb9c1ad259a7f246149f6676c62285f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24a40df79307ca7ca0eec0889361cf6ac146d72a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/316aa0b1e3c5600eae5ab876394c1ac70e6db581"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e7247d8f5fefeceb0bb9cc80a5388a636b219cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/be09b47ed8677d76962e3240c145502e2ad9f3c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0e3dcf48189603f3865f1a0b799b3b42baae96d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWC9-Q2GC-2RCH

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:36
VLAI
Details

In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file parser could go into an infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by ensuring a nonzero record size.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-12T23:59:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file parser could go into an infinite loop, triggered by a malformed capture file. This was addressed in wiretap/netscaler.c by ensuring a nonzero record size.",
  "id": "GHSA-pwc9-q2gc-2rch",
  "modified": "2025-04-20T03:36:00Z",
  "published": "2022-05-13T01:47:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7700"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13478"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=8fc0af859de4993951a915ad735be350221f3f53"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8fc0af859de4993951a915ad735be350221f3f53"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201706-12"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2017-14.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97631"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038262"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWFH-2PJ9-F3RC

Vulnerability from github – Published: 2024-06-13 18:31 – Updated: 2024-08-28 15:31
VLAI
Details

libyaml v0.2.5 is vulnerable to DDOS. Affected by this issue is the function yaml_parser_parse of the file /src/libyaml/src/parser.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T16:15:11Z",
    "severity": "HIGH"
  },
  "details": "libyaml v0.2.5 is vulnerable to DDOS. Affected by this issue is the function yaml_parser_parse of the file /src/libyaml/src/parser.c.",
  "id": "GHSA-pwfh-2pj9-f3rc",
  "modified": "2024-08-28T15:31:13Z",
  "published": "2024-06-13T18:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idhyt/pocs/blob/main/libyaml/CVE-2024-35328.c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idhyt/pocs/tree/main/libyaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX9G-8HGV-JVG2

Vulnerability from github – Published: 2022-10-06 19:53 – Updated: 2022-10-06 19:53
VLAI
Summary
kamadak-exif vulnerable to Infinite loop when parsing PNG files
Details

Impact

Reader::read_from_container can cause an infinite loop when a crafted PNG file is given.

Patches

Version 0.5.3 includes the fix.

Workarounds

No workaround is available. Applications that do not pass files with the PNG signature to Reader::read_from_container are not affected.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in github.com/kamadak/exif-rs

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "kamadak-exif"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.2"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.5.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21235"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T19:53:39Z",
    "nvd_published_at": "2021-01-06T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nReader::read_from_container can cause an infinite loop when a crafted PNG file is given.\n\n### Patches\nVersion 0.5.3 includes the fix.\n\n### Workarounds\nNo workaround is available.\nApplications that do not pass files with the PNG signature to Reader::read_from_container are not affected.\n\n### References\n* \u003chttps://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2\u003e\n* \u003chttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21235\u003e\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/kamadak/exif-rs](https://github.com/kamadak/exif-rs)",
  "id": "GHSA-px9g-8hgv-jvg2",
  "modified": "2022-10-06T19:53:39Z",
  "published": "2022-10-06T19:53:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21235"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kamadak/exif-rs/commit/1b05eab57e484cd7d576d4357b9cda7fdc57df8c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kamadak/exif-rs/commit/f21df24616ea611c5d5d0e0e2f8042eb74d5ff48"
    },
    {
      "type": "WEB",
      "url": "https://crates.io/crates/kamadak-exif"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kamadak/exif-rs"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2021-0143.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "kamadak-exif vulnerable to Infinite loop when parsing PNG files"
}

GHSA-PXH5-6RRC-8RJV

Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-05-20 15:35
VLAI
Summary
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server
Details

Impact

Unauthenticated denial of service.

Summary

When installing provider or module packages from attacker-controlled servers, the server may cause tofu initto enter an infinite loop sending garbage data to that server.

Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. Other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.

These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.

Details

OpenTofu relies a third-party implementations of HTTP2 from the standard library of the Go programming language.

The Go project has recently published the following advisory for that implementation, which indirectly affects OpenTofu's behavior:

  • CVE-2026-33814: Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

OpenTofu's threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, these particular problems affect the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed. In particular, the described problem would occur before OpenTofu actually retrieves a dependency package and performs checksum verification, because it affect the transport of the packages rather than the content of the packages.

An attacker can exploit this by controlling the HTTP2 implementation of the server where the dependencies are hosted, causing it to send a crafted "SETTINGS" frame which sets the maximum frame size to zero.

However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from the server they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.

Patches

OpenTofu v1.11.8 addresses this vulnerability by being built against Go 1.25.10, which contains an improved version of the upstream implementation.

The OpenTofu v1.10 and v1.9 series are also impacted by this vulnerability. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.25.10 for those series would effectively end support for certain versions of macOS, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.10 or v1.9 releases we recommend planning to upgrade to OpenTofu v1.11.8 in the near future, and reviewing the Workarounds section below in the meantime.

Workarounds

This vulnerability can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.

Successful exploitation requires that the attacker control an HTTP2 server that tofu init would contact during dependency installation. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a module from a server they control.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opentofu/opentofu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-20T15:35:45Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nUnauthenticated denial of service.\n\n### Summary\n\nWhen installing provider or module packages from attacker-controlled servers, the server may cause `tofu init`to enter an infinite loop sending garbage data to that server.\n\nThose who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. Other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.\n\nThese vulnerabilities **do not** permit arbitrary code execution or allow disclosure of confidential information.\n\n### Details\n\nOpenTofu relies a third-party implementations of HTTP2 from the standard library of the Go programming language.\n\nThe Go project has recently published the following advisory for that implementation, which indirectly affects OpenTofu\u0027s behavior:\n\n- [CVE-2026-33814](https://www.cve.org/CVERecord?id=CVE-2026-33814):  Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net\n\nOpenTofu\u0027s threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, these particular problems affect the process of _installing_ these dependencies with `tofu init`, and so can potentially occur before an operator has had the opportunity to review what is being installed. In particular, the described problem would occur before OpenTofu actually retrieves a dependency package and performs checksum verification, because it affect the transport of the packages rather than the content of the packages.\n\nAn attacker can exploit this by controlling the HTTP2 implementation of the server where the dependencies are hosted, causing it to send a crafted \"SETTINGS\" frame which sets the maximum frame size to zero.\n\nHowever, the attacker must also coerce an OpenTofu operator into attempting dependency installation from the server they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the `tofu init` process, which does not execute third-party dependency code itself.\n\n### Patches\n\nOpenTofu v1.11.8 addresses this vulnerability by being built against Go 1.25.10, which contains an improved version of the upstream implementation.\n\nThe OpenTofu v1.10 and v1.9 series are also impacted by this vulnerability. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.25.10 for those series would effectively end support for certain versions of macOS, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.10 or v1.9 releases we recommend planning to upgrade to OpenTofu v1.11.8 in the near future, and reviewing the Workarounds section below in the meantime.\n\n### Workarounds\n\nThis vulnerability can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running `tofu init`. Those who are unable to upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.\n\nSuccessful exploitation requires that the attacker control an HTTP2 server that `tofu init` would contact during dependency installation. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a module from a server they control.\n\n### References\n\n- [OpenTofu v1.11.8 Release Notes](https://github.com/opentofu/opentofu/releases/tag/v1.11.8)\n- https://github.com/opentofu/opentofu/pull/4098\n- https://github.com/opentofu/opentofu/issues/4094",
  "id": "GHSA-pxh5-6rrc-8rjv",
  "modified": "2026-05-20T15:35:45Z",
  "published": "2026-05-20T15:35:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-pxh5-6rrc-8rjv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opentofu/opentofu/issues/4094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opentofu/opentofu/pull/4098"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opentofu/opentofu"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opentofu/opentofu/releases/tag/v1.11.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTofu: Excessive resource usage in \"tofu init\" when installing dependencies from attacker-controlled server"
}

GHSA-PXW4-94J3-V9PF

Vulnerability from github – Published: 2025-04-11 14:09 – Updated: 2025-04-11 14:09
VLAI
Summary
SurrealDB CPU exhaustion via custom functions result in total DoS
Details

SurrealDB allows authenticated users with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions using the DEFINE FUNCTION statement

A custom database function comprises a name together with a function body. In the function body, the user programs the functionality of the function in terms of SurrealQL. The language includes a FOR keyword, used to implement for-loops.

Whilst the parser and interpreter constrain the number of iterations for a single for-loop, nesting several for-loops with a large number of iterations is possible. Thus, an attacker could define a function that comprises several nested for-loops with an iteration count of 1.000.000 each.

Executing the function will consume all the CPU time of the server, timeouts configured will not break the CPU consumption, and the function execution monopolizes all CPU time of the SurrealDB server, effectively preventing the server from executing functions, queries, commands of other users, or allowing further connections being established to the server.

Terminating the stuck server requires manual intervention which forces a quit on the server process, as the server application is not responsive any longer.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is high, matched by our CVSS v4 assessment.

Impact

Denial of Service vulnerability resulting in a stuck SurrealDB server requiring manual restart.

Patches

A patch has been introduced that adds a check in the ForEachStatement that checks if the context has been cancelled or timed out for every iteration.

  • Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue.

Workarounds

For SurrealDB users that are unable to upgrade, consider setting the --allow-functions and/or --deny-functions options or corresponding SURREAL_CAPS_ALLOW_FUNC and/or SURREAL_CAPS_DENY_FUNC environment variables, documented within capabilities, to either block all custom functions, or only allow trusted functions to execute.

References

SurrealQL Documentation - DEFINE FUNCTION Statement SurrealQL Documentation - FOR Statement SurrealDB Documentation - Capabilities SurrealDB Documentation - Environment variables #5597

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-11T14:09:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "SurrealDB allows authenticated users with `OWNER` or `EDITOR` permissions at the root, database or namespace levels to define their own database functions using the `DEFINE FUNCTION` statement\n\nA custom database function comprises a name together with a function body. In the function body, the user programs the functionality of the function in terms of SurrealQL. The language includes a `FOR` keyword, used to implement for-loops.\n\nWhilst the parser and interpreter constrain the number of iterations for a single for-loop, nesting several for-loops with a large number of iterations is possible. Thus, an attacker could define a function that comprises several nested for-loops with an iteration count of 1.000.000 each. \n\nExecuting the function will consume all the CPU time of the server, timeouts configured will not break the CPU consumption, and the function execution monopolizes all CPU time of the SurrealDB server, effectively preventing the server from executing functions, queries, commands of other users, or allowing further connections being established to the server.\n\nTerminating the stuck server requires manual intervention which forces a quit on the server process, as the server application is not responsive any longer.\n\nThis issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53\u0027s preliminary finding is high, matched by our CVSS v4 assessment.\n\n### Impact\nDenial of Service vulnerability resulting in a stuck SurrealDB server requiring manual restart.\n\n### Patches\nA patch has been introduced that adds a check in the `ForEachStatement` that checks if the context has been cancelled or timed out for every iteration.\n\n- Versions 2.0.5, 2.1.5, 2.2.2, and later are not affected by this issue.\n\n### Workarounds\nFor SurrealDB users that are unable to upgrade, consider setting the `--allow-functions` and/or `--deny-functions` options or corresponding `SURREAL_CAPS_ALLOW_FUNC` and/or `SURREAL_CAPS_DENY_FUNC` environment variables, documented within [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#functions), to either block all custom functions, or only allow trusted functions to execute. \n\n\n### References\n[SurrealQL Documentation - DEFINE FUNCTION Statement](https://surrealdb.com/docs/surrealql/statements/define/function)\n[SurrealQL Documentation - FOR Statement](https://surrealdb.com/docs/surrealql/statements/for)\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#functions)\n[SurrealDB Documentation - Environment variables](https://surrealdb.com/docs/surrealdb/cli/env#command-environment-variables)\n[#5597](https://github.com/surrealdb/surrealdb/pull/5597)",
  "id": "GHSA-pxw4-94j3-v9pf",
  "modified": "2025-04-11T14:09:14Z",
  "published": "2025-04-11T14:09:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-pxw4-94j3-v9pf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5597"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SurrealDB CPU exhaustion via custom functions result in total DoS"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.