Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

621 vulnerabilities reference this CWE, most recent first.

GHSA-364H-VXJM-52RP

Vulnerability from github – Published: 2026-04-22 15:31 – Updated: 2026-04-22 15:31
VLAI
Details

A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node's Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-22T14:17:08Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in libefiboot, a component of efivar. The device path node parser in libefiboot fails to validate that each node\u0027s Length field is at least 4 bytes, which is the minimum size for an EFI (Extensible Firmware Interface) device path node header. A local user could exploit this vulnerability by providing a specially crafted device path node. This can lead to infinite recursion, causing stack exhaustion and a process crash, resulting in a denial of service (DoS).",
  "id": "GHSA-364h-vxjm-52rp",
  "modified": "2026-04-22T15:31:45Z",
  "published": "2026-04-22T15:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6862"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-6862"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459982"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-369H-PJR2-6WRH

Vulnerability from github – Published: 2021-08-25 20:43 – Updated: 2023-06-13 22:25
VLAI
Summary
Uncontrolled recursion in trust-dns-proto
Details

There's a stack overflow leading to a crash when Trust-DNS's parses a malicious DNS packet. Affected versions of this crate did not properly handle parsing of DNS message compression (RFC1035 section 4.1.4). The parser could be tricked into infinite loop when a compression offset pointed back to the same domain name to be parsed. This allows an attacker to craft a malicious DNS packet which when consumed with Trust-DNS could cause stack overflow and crash the affected software.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "trust-dns-proto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:24:41Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "There\u0027s a stack overflow leading to a crash when Trust-DNS\u0027s parses a malicious DNS packet. Affected versions of this crate did not properly handle parsing of DNS message compression (RFC1035 section 4.1.4). The parser could be tricked into infinite loop when a compression offset pointed back to the same domain name to be parsed. This allows an attacker to craft a malicious DNS packet which when consumed with Trust-DNS could cause stack overflow and crash the affected software.",
  "id": "GHSA-369h-pjr2-6wrh",
  "modified": "2023-06-13T22:25:06Z",
  "published": "2021-08-25T20:43:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20994"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bluejekyll/trust-dns"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled recursion in trust-dns-proto"
}

GHSA-382J-8MXH-C7X2

Vulnerability from github – Published: 2026-06-25 18:35 – Updated: 2026-06-25 18:35
VLAI
Summary
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
Details

Summary

MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes.

A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process.

Impact

Applications are affected when they deserialize untrusted payloads into types containing DateTime values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.

MessagePackSecurity.UntrustedData and MaximumObjectGraphDepth do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.

An attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.

Affected components

  • Package: MessagePack
  • API: MessagePackReader.ReadDateTime
  • Data types: DateTime and formatter paths that call ReadDateTime
  • Finding IDs: MESSAGEPACKCSHARP-020, related stack allocation finding MESSAGEPACKCSHARP-CROW-MEM-001

Patches

Fixes are prepared and will be released in coordinated patch versions.

Upgrade guidance:

  1. Upgrade MessagePack to the patched version for your release line.
  2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.

The fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.

Workarounds

Patching is recommended.

Until a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain DateTime or DateTimeOffset values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.

There is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.

Resources

  • MESSAGEPACKCSHARP-020: ReadDateTime stack allocation from attacker-controlled extension length
  • MESSAGEPACKCSHARP-CROW-MEM-001: related attacker-controlled stack allocation finding in MessagePackReader
  • CWE-770: Allocation of Resources Without Limits or Throttling

CVE split rationale

This vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "MessagePack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0"
            },
            {
              "fixed": "3.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-125",
      "CWE-190",
      "CWE-407",
      "CWE-409",
      "CWE-470",
      "CWE-502",
      "CWE-674",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:35:48Z",
    "nvd_published_at": "2026-06-22T22:16:47Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`MessagePackReader.ReadDateTime()` can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed `tokenSize` includes the extension body length from the wire and is used in a `stackalloc` operation before the extension length is validated as one of the valid timestamp sizes.\n\nA very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable `StackOverflowException`, terminating the host process.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads into types containing `DateTime` values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.\n\n`MessagePackSecurity.UntrustedData` and `MaximumObjectGraphDepth` do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.\n\nAn attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.\n\n## Affected components\n\n- Package: `MessagePack`\n- API: `MessagePackReader.ReadDateTime`\n- Data types: `DateTime` and formatter paths that call `ReadDateTime`\n- Finding IDs: `MESSAGEPACKCSHARP-020`, related stack allocation finding `MESSAGEPACKCSHARP-CROW-MEM-001`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain `DateTime` or `DateTimeOffset` values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.\n\nThere is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-020`: `ReadDateTime` stack allocation from attacker-controlled extension length\n- `MESSAGEPACKCSHARP-CROW-MEM-001`: related attacker-controlled stack allocation finding in `MessagePackReader`\n- CWE-770: Allocation of Resources Without Limits or Throttling\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.",
  "id": "GHSA-382j-8mxh-c7x2",
  "modified": "2026-06-25T18:35:48Z",
  "published": "2026-06-25T18:35:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48502"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows"
}

GHSA-38X5-6RJP-VC28

Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50
VLAI
Details

Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-04T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Endless recursion when handling responses from an IAS-ECC card in iasecc_select_file in libopensc/card-iasecc.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to hang or crash the opensc library using programs.",
  "id": "GHSA-38x5-6rjp-vc28",
  "modified": "2022-05-13T01:50:21Z",
  "published": "2022-05-13T01:50:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenSC/OpenSC/commit/03628449b75a93787eb2359412a3980365dda49b#diff-f8c0128e14031ed9307d47f10f601b54"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-397J-7MPF-RM74

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-18T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in PoDoFo 0.9.5. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054.",
  "id": "GHSA-397j-7mpf-rm74",
  "modified": "2022-05-13T01:49:10Z",
  "published": "2022-05-13T01:49:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11254"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576174"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-39FP-MQMM-GXJ6

Vulnerability from github – Published: 2024-03-29 16:36 – Updated: 2025-05-07 18:49
VLAI
Summary
CodeIgniter4 DoS Vulnerability
Details

Impact

A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.

Patches

Upgrade to v4.4.7 or later. See upgrading guide.

Workarounds

  • Disabling Auto Routing prevents a known attack vector in the framework.
  • Do not pass invalid values to the lang() function or Language class.

References

  • https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization
  • https://codeigniter4.github.io/userguide/general/common_functions.html#lang
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "codeigniter4/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674",
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-29T16:36:38Z",
    "nvd_published_at": "2024-03-29T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.\n\n### Patches\nUpgrade to v4.4.7 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_447.html).\n\n### Workarounds\n- Disabling Auto Routing prevents a known attack vector in the framework.\n- Do not pass invalid values to the `lang()` function or `Language` class.\n\n### References\n- https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization\n- https://codeigniter4.github.io/userguide/general/common_functions.html#lang",
  "id": "GHSA-39fp-mqmm-gxj6",
  "modified": "2025-05-07T18:49:41Z",
  "published": "2024-03-29T16:36:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29904"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/commit/fa851acbae7ae4c5a97f8f38ae87aa0822a334c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codeigniter4/CodeIgniter4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CodeIgniter4 DoS Vulnerability"
}

GHSA-39VW-QP34-RMWF

Vulnerability from github – Published: 2021-08-25 21:00 – Updated: 2023-06-13 21:03
VLAI
Summary
Uncontrolled recursion leads to abort in deserialization
Details

Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "serde_yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.0-rc1"
            },
            {
              "fixed": "0.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-06T17:45:03Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of this crate did not properly check for recursion while deserializing aliases. This allows an attacker to make a YAML file with an alias referring to itself causing an abort. The flaw was corrected by checking the recursion depth.\n",
  "id": "GHSA-39vw-qp34-rmwf",
  "modified": "2023-06-13T21:03:35Z",
  "published": "2021-08-25T21:00:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dtolnay/serde-yaml/pull/105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dtolnay/serde-yaml/commit/b93aff6e904cffbbfd1f421b82f6dcc5ca19a4fd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dtolnay/serde-yaml"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2018-0005.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Uncontrolled recursion leads to abort in deserialization"
}

GHSA-3C37-WWVX-H642

Vulnerability from github – Published: 2026-03-23 20:23 – Updated: 2026-03-25 20:38
VLAI
Summary
cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
Details

Summary

  • The cbor2 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures.
  • This vulnerability affects both the pure Python implementation and the C extension (_cbor2). The C extension correctly uses Python's C-API for recursion protection (Py_EnterRecursiveCall), but this mechanism is designed to prevent a stack overflow by raising a RecursionError. In some environments, this exception is not caught, thus causing the service process to terminate.
  • While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python's global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g., 0x81). When cbor2.loads() attempts to parse this, it hits the interpreter's recursion limit, causing the call to raise a RecursionError.
  • By sending a stream of small (<100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.

Details

  • The vulnerability stems from the recursive design of the CBORDecoder class, specifically how it decodes nested container types like Arrays and Maps.
  • Inside decode_array (and similarly decode_map), the decoder iterates through the number of elements specified in the CBOR header. For each element, it calls self.decode() again to parse the nested item. This recursive call lacks a depth-tracking mechanism.
  • Vulnerable Code Locations:
  • cbor2/decoder.py (Pure Python implementation)
  • source/decoder.c (C extension implementation)
  • Execution Flow:
  • The cbor2.loads() function initializes a CBORDecoder and calls its decode() method.
  • The decode() method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it calls decode_array.
  • decode_array loops and calls self.decode() for each item, leading to deep recursion when parsing a payload like [...[...[1]...]...].

PoC

import cbor2

DEPTH = 1000

payload = b'\x81' * DEPTH + b'\x01'
print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering decoder...")

try:
    cbor2.loads(payload)
    print("[+] Parsed successfully (Not Vulnerable)")
except RecursionError:
    print("\n[!] VULNERABLE: RecursionError triggered!")
except Exception as e:
    print(f"\n[-] Unexpected Error: {type(e).__name__}: {e}")

Impact

  • Scope: This vulnerability affects any application using cbor2 to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption).
  • Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.

Credit

This issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "cbor2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T20:23:57Z",
    "nvd_published_at": "2026-03-23T19:16:39Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n- The `cbor2` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures.\n- This vulnerability affects both the pure Python implementation and the C extension (`_cbor2`). The C extension correctly uses Python\u0027s C-API for recursion protection (`Py_EnterRecursiveCall`), but this mechanism is designed to prevent a stack overflow by raising a `RecursionError`. In some environments, this exception is not caught, thus causing the service process to terminate.\n- While the library handles moderate nesting, it lacks a configurable, data-driven depth limit independent of Python\u0027s global recursion setting. An attacker can supply a crafted CBOR payload containing thousands of nested arrays (e.g., `0x81`). When `cbor2.loads()` attempts to parse this, it hits the interpreter\u0027s recursion limit, causing the call to raise a `RecursionError`.\n- By sending a stream of small (\u003c100KB) malicious packets, an attacker can repeatedly crash worker processes faster than they can be restarted, resulting in a complete and sustained Denial of Service.\n\n### Details\n\n- The vulnerability stems from the recursive design of the `CBORDecoder` class, specifically how it decodes nested container types like Arrays and Maps.\n- Inside `decode_array` (and similarly `decode_map`), the decoder iterates through the number of elements specified in the CBOR header. For each element, it calls `self.decode()` again to parse the nested item. This recursive call lacks a depth-tracking mechanism.\n- Vulnerable Code Locations:\n  - `cbor2/decoder.py` (Pure Python implementation)\n  - `source/decoder.c` (C extension implementation)\n- Execution Flow:\n  1. The `cbor2.loads()` function initializes a `CBORDecoder` and calls its `decode()` method.\n  2. The `decode()` method reads the initial byte and dispatches control to a specific handler based on the major type. For an Array (Major Type 4), it calls `decode_array`.\n  3. `decode_array` loops and calls `self.decode()` for each item, leading to deep recursion when parsing a payload like `[...[...[1]...]...]`.\n\n### PoC\n\n```\nimport cbor2\n\nDEPTH = 1000\n\npayload = b\u0027\\x81\u0027 * DEPTH + b\u0027\\x01\u0027\nprint(f\"[*] Payload size: {len(payload) / 1024:.2f} KB\")\nprint(\"[*] Triggering decoder...\")\n\ntry:\n    cbor2.loads(payload)\n    print(\"[+] Parsed successfully (Not Vulnerable)\")\nexcept RecursionError:\n    print(\"\\n[!] VULNERABLE: RecursionError triggered!\")\nexcept Exception as e:\n    print(f\"\\n[-] Unexpected Error: {type(e).__name__}: {e}\")\n```\n\n### Impact\n\n- Scope: This vulnerability affects any application using `cbor2` to parse untrusted data. Common use cases include IoT data processing, WebAuthn (FIDO2) authentication flows, and inter-service communication over COSE (CBOR Object Signing and Encryption).\n- Attack Vector: A remote, unauthenticated attacker can achieve a full Denial of Service with a highly efficient, low-bandwidth attack. A payload under 100KB is sufficient to reliably terminate a Python worker process.\n\n### Credit\n\nThis issue was discovered by Kevin Tu of TMIR at ByteDance. The patch was developed by @agronholm.",
  "id": "GHSA-3c37-wwvx-h642",
  "modified": "2026-03-25T20:38:41Z",
  "published": "2026-03-23T20:23:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/security/advisories/GHSA-3c37-wwvx-h642"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/pull/275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/commit/e61a5f365ba610d5907a0ae1bc72769bba34294b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agronholm/cbor2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agronholm/cbor2/releases/tag/5.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads"
}

GHSA-3F92-Q4C5-7PPR

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many '{' characters in jsparse.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-31T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Espruino before 1.99 allows attackers to cause a denial of service (application crash) with a user crafted input file via a Buffer Overflow during syntax parsing because of a missing check for stack exhaustion with many \u0027{\u0027 characters in jsparse.c.",
  "id": "GHSA-3f92-q4c5-7ppr",
  "modified": "2022-05-13T01:49:18Z",
  "published": "2022-05-13T01:49:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/espruino/Espruino/issues/1448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/espruino/Espruino/commit/51380baf17241728b6d48cdb84140b931e3e3cc5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FFH-3H59-484G

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2023-09-20 00:30
VLAI
Details

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-22T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.",
  "id": "GHSA-3ffh-3h59-484g",
  "modified": "2023-09-20T00:30:15Z",
  "published": "2022-05-24T17:07:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20395"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/issues/724"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1793924"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.