CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
621 vulnerabilities reference this CWE, most recent first.
GHSA-364H-VXJM-52RP
Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-22 15:31A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).
{
"affected": [],
"aliases": [
"CVE-2026-6862"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T14:17:08Z",
"severity": "MODERATE"
},
"details": "A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node\u0027s Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).",
"id": "GHSA-364h-vxjm-52rp",
"modified": "2026-04-22T15:31:45Z",
"published": "2026-04-22T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6862"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-6862"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459982"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-369H-PJR2-6WRH
Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 22:25There's a stack overflow leading to a crash when Trust-DNS's parses a malicious DNS packet. Affected versions of this crate did not properly handle parsing of DNS message compression (RFC1035 section 4.1.4). The parser could be tricked into infinite loop when a compression offset pointed back to the same domain name to be parsed. This allows an attacker to craft a malicious DNS packet which when consumed with Trust-DNS could cause stack overflow and crash the affected software.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "trust-dns-proto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-20994"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:24:41Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "There\u0027s a stack overflow leading to a crash when Trust-DNS\u0027s parses a malicious DNS packet. Affected versions of this crate did not properly handle parsing of DNS message compression (RFC1035 section 4.1.4). The parser could be tricked into infinite loop when a compression offset pointed back to the same domain name to be parsed. This allows an attacker to craft a malicious DNS packet which when consumed with Trust-DNS could cause stack overflow and crash the affected software.",
"id": "GHSA-369h-pjr2-6wrh",
"modified": "2023-06-13T22:25:06Z",
"published": "2021-08-25T20:43:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20994"
},
{
"type": "PACKAGE",
"url": "https://github.com/bluejekyll/trust-dns"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled recursion in trust-dns-proto"
}
GHSA-382J-8MXH-C7X2
Vulnerability from github – Published: 2026-06-25 18:35 – Updated: 2026-06-25 18:35Summary
MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes.
A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process.
Impact
Applications are affected when they deserialize untrusted payloads into types containing DateTime values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.
MessagePackSecurity.UntrustedData and MaximumObjectGraphDepth do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.
An attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.
Affected components
- Package:
MessagePack - API:
MessagePackReader.ReadDateTime - Data types:
DateTimeand formatter paths that callReadDateTime - Finding IDs:
MESSAGEPACKCSHARP-020, related stack allocation findingMESSAGEPACKCSHARP-CROW-MEM-001
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.
Workarounds
Patching is recommended.
Until a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain DateTime or DateTimeOffset values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.
There is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.
Resources
MESSAGEPACKCSHARP-020:ReadDateTimestack allocation from attacker-controlled extension lengthMESSAGEPACKCSHARP-CROW-MEM-001: related attacker-controlled stack allocation finding inMessagePackReader- CWE-770: Allocation of Resources Without Limits or Throttling
CVE split rationale
This vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48502"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-125",
"CWE-190",
"CWE-407",
"CWE-409",
"CWE-470",
"CWE-502",
"CWE-674",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T18:35:48Z",
"nvd_published_at": "2026-06-22T22:16:47Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`MessagePackReader.ReadDateTime()` can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed `tokenSize` includes the extension body length from the wire and is used in a `stackalloc` operation before the extension length is validated as one of the valid timestamp sizes.\n\nA very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable `StackOverflowException`, terminating the host process.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads into types containing `DateTime` values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.\n\n`MessagePackSecurity.UntrustedData` and `MaximumObjectGraphDepth` do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.\n\nAn attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.\n\n## Affected components\n\n- Package: `MessagePack`\n- API: `MessagePackReader.ReadDateTime`\n- Data types: `DateTime` and formatter paths that call `ReadDateTime`\n- Finding IDs: `MESSAGEPACKCSHARP-020`, related stack allocation finding `MESSAGEPACKCSHARP-CROW-MEM-001`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain `DateTime` or `DateTimeOffset` values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.\n\nThere is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-020`: `ReadDateTime` stack allocation from attacker-controlled extension length\n- `MESSAGEPACKCSHARP-CROW-MEM-001`: related attacker-controlled stack allocation finding in `MessagePackReader`\n- CWE-770: Allocation of Resources Without Limits or Throttling\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.",
"id": "GHSA-382j-8mxh-c7x2",
"modified": "2026-06-25T18:35:48Z",
"published": "2026-06-25T18:35:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48502"
},
{
"type": "PACKAGE",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows"
}
GHSA-38X5-6RJP-VC28
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.
{
"affected": [],
"aliases": [
"CVE-2018-16426"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-04T00:29:00Z",
"severity": "MODERATE"
},
"details": "Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.",
"id": "GHSA-38x5-6rjp-vc28",
"modified": "2022-05-13T01:50:21Z",
"published": "2022-05-13T01:50:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16426"
},
{
"type": "WEB",
"url": "https://github.com/OpenSC/OpenSC/commit/03628449b75a93787eb2359412a3980365dda49b#diff-f8c0128e14031ed9307d47f10f601b54"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2154"
},
{
"type": "WEB",
"url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"
},
{
"type": "WEB",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-397J-7MPF-RM74
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054.
{
"affected": [],
"aliases": [
"CVE-2018-11254"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-18T19:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054.",
"id": "GHSA-397j-7mpf-rm74",
"modified": "2022-05-13T01:49:10Z",
"published": "2022-05-13T01:49:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11254"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576174"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-39FP-MQMM-GXJ6
Vulnerability from github – Published: 2024-03-29 16:36 – Updated: 2025-05-07 18:49Impact
A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.
Patches
Upgrade to v4.4.7 or later. See upgrading guide.
Workarounds
- Disabling Auto Routing prevents a known attack vector in the framework.
- Do not pass invalid values to the
lang()function orLanguageclass.
References
- https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization
- https://codeigniter4.github.io/userguide/general/common_functions.html#lang
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "codeigniter4/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29904"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-29T16:36:38Z",
"nvd_published_at": "2024-03-29T16:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\nA vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.\n\n### Patches\nUpgrade to v4.4.7 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_447.html).\n\n### Workarounds\n- Disabling Auto Routing prevents a known attack vector in the framework.\n- Do not pass invalid values to the `lang()` function or `Language` class.\n\n### References\n- https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization\n- https://codeigniter4.github.io/userguide/general/common_functions.html#lang",
"id": "GHSA-39fp-mqmm-gxj6",
"modified": "2025-05-07T18:49:41Z",
"published": "2024-03-29T16:36:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29904"
},
{
"type": "WEB",
"url": "https://github.com/codeigniter4/CodeIgniter4/commit/fa851acbae7ae4c5a97f8f38ae87aa0822a334c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/codeigniter4/CodeIgniter4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CodeIgniter4 DoS Vulnerability"
}
GHSA-39VW-QP34-RMWF
Vulnerability from github – Published: 2021-08-25 21:00 – Updated: 2023-06-13 21:03Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "serde_yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0-rc1"
},
{
"fixed": "0.8.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-06T17:45:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.\n",
"id": "GHSA-39vw-qp34-rmwf",
"modified": "2023-06-13T21:03:35Z",
"published": "2021-08-25T21:00:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dtolnay/serde-yaml/pull/105"
},
{
"type": "WEB",
"url": "https://github.com/dtolnay/serde-yaml/commit/b93aff6e904cffbbfd1f421b82f6dcc5ca19a4fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/dtolnay/serde-yaml"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2018-0005.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Uncontrolled recursion leads to abort in deserialization"
}
GHSA-3C37-WWVX-H642
Vulnerability from github – Published: 2026-03-23 20:23 – Updated: 2026-03-25 20:38Summary
- The
cbor2library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension (
_cbor2). The C extension correctly uses Python's C-API for recursion protection (Py_EnterRecursiveCall), but this mechanism is designed to prevent a stack overflow by raising aRecursionError. In some environments, this exception is not caught, thus causing the service process to terminate. - While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python's global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g.,
0x81). Whencbor2.loads()attempts to parse this, it hits the interpreter's recursion limit, causing the call to raise aRecursionError. - By sending a stream of small (<100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.
Details
- The vulnerability stems from the recursive design of the
CBORDecoderclass, specifically how it decodes nested container types like Arrays and Maps. - Inside
decode_array(and similarlydecode_map), the decoder iterates through the number of elements specified in the CBOR header. For each element, it callsself.decode()again to parse the nested item. This recursive call lacks a depth-tracking mechanism. - Vulnerable Code Locations:
cbor2/decoder.py(Pure Python implementation)source/decoder.c(C extension implementation)- Execution Flow:
- The
cbor2.loads()function initializes aCBORDecoderand calls itsdecode()method. - The
decode()method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it callsdecode_array. decode_arrayloops and callsself.decode()for each item, leading to deep recursion when parsing a payload like[...[...[1]...]...].
PoC
import cbor2
DEPTH = 1000
payload = b'\x81' * DEPTH + b'\x01'
print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering decoder...")
try:
cbor2.loads(payload)
print("[+] Parsed successfully (Not Vulnerable)")
except RecursionError:
print("\n[!] VULNERABLE: RecursionError triggered!")
except Exception as e:
print(f"\n[-] Unexpected Error: {type(e).__name__}: {e}")
Impact
- Scope: This vulnerability affects any application using
cbor2to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption). - Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.
Credit
This issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.0"
},
"package": {
"ecosystem": "PyPI",
"name": "cbor2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26209"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-23T20:23:57Z",
"nvd_published_at": "2026-03-23T19:16:39Z",
"severity": "HIGH"
},
"details": "### Summary\n\n- The `cbor2` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures.\n- This vulnerability affects both the pure Python implementation and the C extension (`_cbor2`). The C extension correctly uses Python\u0027s C-API for recursion protection (`Py_EnterRecursiveCall`), but this mechanism is designed to prevent a stack overflow by raising a `RecursionError`. In some environments, this exception is not caught, thus causing the service process to terminate.\n- While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python\u0027s global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g., `0x81`). When `cbor2.loads()` attempts to parse this, it hits the interpreter\u0027s recursion limit, causing the call to raise a `RecursionError`.\n- By sending a stream of small (\u003c100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.\n\n### Details\n\n- The vulnerability stems from the recursive design of the `CBORDecoder` class, specifically how it decodes nested container types like Arrays and Maps.\n- Inside `decode_array` (and similarly `decode_map`), the decoder iterates through the number of elements specified in the CBOR header. For each element, it calls `self.decode()` again to parse the nested item. This recursive call lacks a depth-tracking mechanism.\n- Vulnerable Code Locations:\n - `cbor2/decoder.py` (Pure Python implementation)\n - `source/decoder.c` (C extension implementation)\n- Execution Flow:\n 1. The `cbor2.loads()` function initializes a `CBORDecoder` and calls its `decode()` method.\n 2. The `decode()` method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it calls `decode_array`.\n 3. `decode_array` loops and calls `self.decode()` for each item, leading to deep recursion when parsing a payload like `[...[...[1]...]...]`.\n\n### PoC\n\n```\nimport cbor2\n\nDEPTH = 1000\n\npayload = b\u0027\\x81\u0027 * DEPTH + b\u0027\\x01\u0027\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering decoder...\")\n\ntry:\n cbor2.loads(payload)\n print(\"[+] Parsed successfully (Not Vulnerable)\")\nexcept RecursionError:\n print(\"\\n[!] VULNERABLE: RecursionError triggered!\")\nexcept Exception as e:\n print(f\"\\n[-] Unexpected Error: {type(e).__name__}: {e}\")\n```\n\n### Impact\n\n- Scope: This vulnerability affects any application using `cbor2` to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption).\n- Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.\n\n### Credit\n\nThis issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.",
"id": "GHSA-3c37-wwvx-h642",
"modified": "2026-03-25T20:38:41Z",
"published": "2026-03-23T20:23:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26209"
},
{
"type": "WEB",
"url": "https://github.com/agronholm/cbor2/pull/275"
},
{
"type": "WEB",
"url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b"
},
{
"type": "PACKAGE",
"url": "https://github.com/agronholm/cbor2"
},
{
"type": "WEB",
"url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads"
}
GHSA-3F92-Q4C5-7PPR
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c.
{
"affected": [],
"aliases": [
"CVE-2018-11597"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-31T16:29:00Z",
"severity": "MODERATE"
},
"details": "Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many \u0027{\u0027 characters in jsparse.c.",
"id": "GHSA-3f92-q4c5-7ppr",
"modified": "2022-05-13T01:49:18Z",
"published": "2022-05-13T01:49:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11597"
},
{
"type": "WEB",
"url": "https://github.com/espruino/Espruino/issues/1448"
},
{
"type": "WEB",
"url": "https://github.com/espruino/Espruino/commit/51380baf17241728b6d48cdb84140b931e3e3cc5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3FFH-3H59-484G
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-09-20 00:30A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.
{
"affected": [],
"aliases": [
"CVE-2019-20395"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-22T22:15:00Z",
"severity": "MODERATE"
},
"details": "A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.",
"id": "GHSA-3ffh-3h59-484g",
"modified": "2023-09-20T00:30:15Z",
"published": "2022-05-24T17:07:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20395"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/issues/724"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793924"
},
{
"type": "WEB",
"url": "https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.