CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-8F6J-9HH3-9C9X
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP server can trigger stack consumption because of unlimited recursion into subdirectories during a rebuild of the folder tree.
{
"affected": [],
"aliases": [
"CVE-2020-16094"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-28T19:15:00Z",
"severity": "MODERATE"
},
"details": "In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP server can trigger stack consumption because of unlimited recursion into subdirectories during a rebuild of the folder tree.",
"id": "GHSA-8f6j-9hh3-9c9x",
"modified": "2022-05-24T17:24:33Z",
"published": "2022-05-24T17:24:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16094"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CRKHUOVTJBHT53J4CYU53PXYYQKSGEA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBLHUG2UCXVABAGN5FVTD3AB3YKE5NN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNJIXYDMSXYDII4ERMQ4EEKZX64U3QR4"
},
{
"type": "WEB",
"url": "https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8F7G-VMW6-89M7
Vulnerability from github – Published: 2022-12-04 06:30 – Updated: 2022-12-06 15:30Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
{
"affected": [],
"aliases": [
"CVE-2022-46405"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-04T04:15:00Z",
"severity": "HIGH"
},
"details": "Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.",
"id": "GHSA-8f7g-vmw6-89m7",
"modified": "2022-12-06T15:30:30Z",
"published": "2022-12-04T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46405"
},
{
"type": "WEB",
"url": "https://borg.social/notes/98bcoo2t1n"
},
{
"type": "WEB",
"url": "https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8H8C-F86R-PF3C
Vulnerability from github – Published: 2025-02-19 00:31 – Updated: 2025-11-03 21:32A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting.
{
"affected": [],
"aliases": [
"CVE-2024-57257"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-18T23:15:09Z",
"severity": "LOW"
},
"details": "A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting.",
"id": "GHSA-8h8c-f86r-pf3c",
"modified": "2025-11-03T21:32:46Z",
"published": "2025-02-19T00:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57257"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html"
},
{
"type": "WEB",
"url": "https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/02/17/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8MPR-6XR2-CHHC
Vulnerability from github – Published: 2026-03-12 14:02 – Updated: 2026-03-12 14:02Summary
Magick fails to check for circular references between two MSLs, leading to a stack overflow.
Details
After reading a.msl using magick, the following is displayed:
MSLStartElement -> ReadImage -> ReadMSLImage -> ProcessMSLScript -> xmlParseChunk -> xmlParseTryOrFinish -> MSLStartElement
AddressSanitizer:DEADLYSIGNAL
=================================================================
==114345==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x72509fc7d804 bp 0x7ffd6598b390 sp 0x7ffd6598ab20 T0)
#0 0x72509fc7d804 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:388
[...]
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25971"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-12T14:02:04Z",
"nvd_published_at": "2026-02-24T02:16:02Z",
"severity": "MODERATE"
},
"details": "### Summary\nMagick fails to check for circular references between two MSLs, leading to a stack overflow.\n\n### Details\nAfter reading a.msl using magick, the following is displayed:\n\n`MSLStartElement` -\u003e `ReadImage` -\u003e `ReadMSLImage` -\u003e `ProcessMSLScript` -\u003e `xmlParseChunk` -\u003e `xmlParseTryOrFinish` -\u003e `MSLStartElement`\n\n```bash\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==114345==ERROR: AddressSanitizer: UNKNOWN SIGNAL on unknown address 0x000000000000 (pc 0x72509fc7d804 bp 0x7ffd6598b390 sp 0x7ffd6598ab20 T0)\n #0 0x72509fc7d804 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:388\n[...]\n```",
"id": "GHSA-8mpr-6xr2-chhc",
"modified": "2026-03-12T14:02:04Z",
"published": "2026-03-12T14:02:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8mpr-6xr2-chhc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25971"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
},
{
"type": "WEB",
"url": "https://github.com/dlemstra/Magick.NET/releases/tag/14.10.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick: MSL - Stack overflow in ProcessMSLScript"
}
GHSA-8PFC-JJGW-6G26
Vulnerability from github – Published: 2026-04-03 21:45 – Updated: 2026-04-06 23:18Summary
The @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process.
Details
The root cause is in src/parser.ts. The restOfExp function (line 443) iterates through expression characters, and when it encounters a closing bracket that doesn't match the expected firstOpening, it recursively calls itself at line 503:
// src/parser.ts:486-505
} else if (closings[char]) {
// ...
if (char === firstOpening) {
done = true;
break;
} else {
const skip = restOfExp(constants, part.substring(i + 1), [], char); // line 503
cache.set(skip.start - 1, skip.end);
i += skip.length + 1;
}
}
Each nested bracket ((, [, {) adds a stack frame. There is no depth counter or limit check. The function signature has no depth parameter:
export function restOfExp(
constants: IConstants,
part: CodeString,
tests?: RegExp[],
quote?: string,
firstOpening?: string,
closingsTests?: RegExp[],
details: restDetails = {},
): CodeString {
A second unbounded recursive path exists through lispify → lispTypes.get(type) → group handler → lispifyExpr (line 672) → lispify, which processes parenthesized groups recursively with no depth limit.
All public API methods (Sandbox.parse(), Sandbox.compile(), Sandbox.compileAsync(), Sandbox.compileExpression(), Sandbox.compileExpressionAsync()) pass user input directly to parse() with no input validation or depth limiting.
A RangeError: Maximum call stack size exceeded in Node.js is not a catchable exception in the normal sense — it crashes the current execution context and, in a server handling requests synchronously, can crash the entire process.
PoC
# Install the package
npm install @nyariv/sandboxjs
# Create test file
cat > poc.js << 'EOF'
const { default: Sandbox } = require('@nyariv/sandboxjs');
const s = new Sandbox();
// Trigger via nested parentheses
console.log("Testing nested parentheses...");
try {
s.compile('('.repeat(2000) + '1' + ')'.repeat(2000));
console.log("No crash");
} catch(e) {
console.log(`Crash: ${e.constructor.name}: ${e.message}`);
}
// Trigger via nested array brackets
console.log("Testing nested array brackets...");
try {
s.compile('a' + '[0]'.repeat(2000));
console.log("No crash");
} catch(e) {
console.log(`Crash: ${e.constructor.name}: ${e.message}`);
}
EOF
node poc.js
Expected output:
Testing nested parentheses...
Crash: RangeError: Maximum call stack size exceeded
Testing nested array brackets...
Crash: RangeError: Maximum call stack size exceeded
Verified on Node.js v22 with @nyariv/sandboxjs@0.8.35.
Impact
Any application using @nyariv/sandboxjs to parse untrusted user input is vulnerable to denial of service. Since SandboxJS is explicitly designed to safely execute untrusted JavaScript, its primary use case involves untrusted input — making this a high-impact vulnerability for its intended deployment scenario.
An attacker can crash the host Node.js process with a single crafted input string. In server-side applications, this causes complete service disruption. The attack payload is trivial to construct and requires no authentication.
Recommended Fix
Add a depth parameter to restOfExp and throw a ParseError when a maximum depth is exceeded:
// src/parser.ts - restOfExp function
const MAX_PARSE_DEPTH = 256;
export function restOfExp(
constants: IConstants,
part: CodeString,
tests?: RegExp[],
quote?: string,
firstOpening?: string,
closingsTests?: RegExp[],
details: restDetails = {},
depth: number = 0, // ADD depth parameter
): CodeString {
if (depth > MAX_PARSE_DEPTH) {
throw new ParseError('Expression nesting depth exceeded', part.toString());
}
// ... existing code ...
// At line 503, pass depth + 1:
const skip = restOfExp(constants, part.substring(i + 1), [], char, undefined, undefined, {}, depth + 1);
// At line 480 (template literal), also pass depth + 1:
const skip = restOfExp(constants, part.substring(i + 2), [], '{', undefined, undefined, {}, depth + 1);
}
Similarly, add depth tracking to lispify and lispifyExpr:
function lispify(
constants: IConstants,
part: CodeString,
expected?: readonly string[],
lispTree?: Lisp,
topLevel = false,
depth: number = 0, // ADD depth parameter
): Lisp {
if (depth > MAX_PARSE_DEPTH) {
throw new ParseError('Expression nesting depth exceeded', part.toString());
}
// ... pass depth + 1 to recursive lispify/lispifyExpr calls ...
}
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.8.35"
},
"package": {
"ecosystem": "npm",
"name": "@nyariv/sandboxjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.36"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34211"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T21:45:14Z",
"nvd_published_at": "2026-04-06T16:16:34Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `@nyariv/sandboxjs` parser contains unbounded recursion in the `restOfExp` function and the `lispify`/`lispifyExpr` call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a `RangeError: Maximum call stack size exceeded` that terminates the process.\n\n## Details\n\nThe root cause is in `src/parser.ts`. The `restOfExp` function (line 443) iterates through expression characters, and when it encounters a closing bracket that doesn\u0027t match the expected `firstOpening`, it recursively calls itself at line 503:\n\n```typescript\n// src/parser.ts:486-505\n} else if (closings[char]) {\n // ...\n if (char === firstOpening) {\n done = true;\n break;\n } else {\n const skip = restOfExp(constants, part.substring(i + 1), [], char); // line 503\n cache.set(skip.start - 1, skip.end);\n i += skip.length + 1;\n }\n}\n```\n\nEach nested bracket (`(`, `[`, `{`) adds a stack frame. There is no depth counter or limit check. The function signature has no depth parameter:\n\n```typescript\nexport function restOfExp(\n constants: IConstants,\n part: CodeString,\n tests?: RegExp[],\n quote?: string,\n firstOpening?: string,\n closingsTests?: RegExp[],\n details: restDetails = {},\n): CodeString {\n```\n\nA second unbounded recursive path exists through `lispify` \u2192 `lispTypes.get(type)` \u2192 `group` handler \u2192 `lispifyExpr` (line 672) \u2192 `lispify`, which processes parenthesized groups recursively with no depth limit.\n\nAll public API methods (`Sandbox.parse()`, `Sandbox.compile()`, `Sandbox.compileAsync()`, `Sandbox.compileExpression()`, `Sandbox.compileExpressionAsync()`) pass user input directly to `parse()` with no input validation or depth limiting.\n\nA `RangeError: Maximum call stack size exceeded` in Node.js is not a catchable exception in the normal sense \u2014 it crashes the current execution context and, in a server handling requests synchronously, can crash the entire process.\n\n## PoC\n\n```bash\n# Install the package\nnpm install @nyariv/sandboxjs\n\n# Create test file\ncat \u003e poc.js \u003c\u003c \u0027EOF\u0027\nconst { default: Sandbox } = require(\u0027@nyariv/sandboxjs\u0027);\nconst s = new Sandbox();\n\n// Trigger via nested parentheses\nconsole.log(\"Testing nested parentheses...\");\ntry {\n s.compile(\u0027(\u0027.repeat(2000) + \u00271\u0027 + \u0027)\u0027.repeat(2000));\n console.log(\"No crash\");\n} catch(e) {\n console.log(`Crash: ${e.constructor.name}: ${e.message}`);\n}\n\n// Trigger via nested array brackets\nconsole.log(\"Testing nested array brackets...\");\ntry {\n s.compile(\u0027a\u0027 + \u0027[0]\u0027.repeat(2000));\n console.log(\"No crash\");\n} catch(e) {\n console.log(`Crash: ${e.constructor.name}: ${e.message}`);\n}\nEOF\n\nnode poc.js\n```\n\n**Expected output:**\n```\nTesting nested parentheses...\nCrash: RangeError: Maximum call stack size exceeded\nTesting nested array brackets...\nCrash: RangeError: Maximum call stack size exceeded\n```\n\nVerified on Node.js v22 with `@nyariv/sandboxjs@0.8.35`.\n\n## Impact\n\nAny application using `@nyariv/sandboxjs` to parse untrusted user input is vulnerable to denial of service. Since SandboxJS is explicitly designed to safely execute untrusted JavaScript, its primary use case involves untrusted input \u2014 making this a high-impact vulnerability for its intended deployment scenario.\n\nAn attacker can crash the host Node.js process with a single crafted input string. In server-side applications, this causes complete service disruption. The attack payload is trivial to construct and requires no authentication.\n\n## Recommended Fix\n\nAdd a `depth` parameter to `restOfExp` and throw a `ParseError` when a maximum depth is exceeded:\n\n```typescript\n// src/parser.ts - restOfExp function\nconst MAX_PARSE_DEPTH = 256;\n\nexport function restOfExp(\n constants: IConstants,\n part: CodeString,\n tests?: RegExp[],\n quote?: string,\n firstOpening?: string,\n closingsTests?: RegExp[],\n details: restDetails = {},\n depth: number = 0, // ADD depth parameter\n): CodeString {\n if (depth \u003e MAX_PARSE_DEPTH) {\n throw new ParseError(\u0027Expression nesting depth exceeded\u0027, part.toString());\n }\n // ... existing code ...\n\n // At line 503, pass depth + 1:\n const skip = restOfExp(constants, part.substring(i + 1), [], char, undefined, undefined, {}, depth + 1);\n\n // At line 480 (template literal), also pass depth + 1:\n const skip = restOfExp(constants, part.substring(i + 2), [], \u0027{\u0027, undefined, undefined, {}, depth + 1);\n}\n```\n\nSimilarly, add depth tracking to `lispify` and `lispifyExpr`:\n\n```typescript\nfunction lispify(\n constants: IConstants,\n part: CodeString,\n expected?: readonly string[],\n lispTree?: Lisp,\n topLevel = false,\n depth: number = 0, // ADD depth parameter\n): Lisp {\n if (depth \u003e MAX_PARSE_DEPTH) {\n throw new ParseError(\u0027Expression nesting depth exceeded\u0027, part.toString());\n }\n // ... pass depth + 1 to recursive lispify/lispifyExpr calls ...\n}\n```",
"id": "GHSA-8pfc-jjgw-6g26",
"modified": "2026-04-06T23:18:26Z",
"published": "2026-04-03T21:45:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34211"
},
{
"type": "PACKAGE",
"url": "https://github.com/nyariv/SandboxJS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser"
}
GHSA-8QVM-5X2C-J2W7
Vulnerability from github – Published: 2025-06-16 16:02 – Updated: 2025-06-16 16:02Summary
Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.
Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team ecosystem@trailofbits.com
Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.
This is a Python variant of a previous issue affecting protobuf-java.
Severity
This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.
Proof of Concept
For reproduction details, please refer to the unit tests decoder_test.py and message_test
Remediation and Mitigation
A mitigation is available now. Please update to the latest available versions of the following packages: * protobuf-python(4.25.8, 5.29.5, 6.31.1)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.25.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "5.26.0rc1"
},
{
"fixed": "5.29.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "protobuf"
},
"ranges": [
{
"events": [
{
"introduced": "6.30.0rc1"
},
{
"fixed": "6.31.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4565"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-16T16:02:58Z",
"nvd_published_at": "2025-06-16T15:15:24Z",
"severity": "HIGH"
},
"details": "### Summary\nAny project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security Team\n[ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com)\n\nAffected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.\n\nThis is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8).\n\n### Severity\nThis is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478)\n\n### Remediation and Mitigation\nA mitigation is available now. Please update to the latest available versions of the following packages:\n* protobuf-python(4.25.8, 5.29.5, 6.31.1)",
"id": "GHSA-8qvm-5x2c-j2w7",
"modified": "2025-06-16T16:02:58Z",
"published": "2025-06-16T16:02:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8qvm-5x2c-j2w7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4565"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901"
},
{
"type": "PACKAGE",
"url": "https://github.com/protocolbuffers/protobuf"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478"
},
{
"type": "WEB",
"url": "https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "protobuf-python has a potential Denial of Service issue"
}
GHSA-8R93-F22G-X9VJ
Vulnerability from github – Published: 2026-05-19 09:31 – Updated: 2026-05-19 09:31Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads.
This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
{
"affected": [],
"aliases": [
"CVE-2026-47309"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T07:16:29Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads.\n\nThis issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.",
"id": "GHSA-8r93-f22g-x9vj",
"modified": "2026-05-19T09:31:19Z",
"published": "2026-05-19T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47309"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/escargot/pull/1565"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WCC-M6J2-QXVM
Vulnerability from github – Published: 2024-12-16 19:33 – Updated: 2024-12-23 17:13Summary
ASA-2024-0012
Name: ASA-2024-0012, Transaction decoding may result in a stack overflow Component: Cosmos SDK Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2) Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14 Affected users: Chain Builders + Maintainers, Validators, node operators
ASA-2024-0013
Name: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion
Component: Cosmos SDK
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmos-sdk versions <= v0.50.10, <= v0.47.14
Affected users: Chain Builders + Maintainers, Validators, node operators
Impact
ASA-2024-0012
When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet.
ASA-2024-0013
Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. Themax_tx_bytes sets a limit for external TX but is not applied for internal messages emitted by wasm contracts or a malicious validator block. This may result in a node crashing due to resource exhaustion. This was addressed by adding additional validation to prevent this condition.
Patches
The issues above are resolved in Cosmos SDK versions v0.47.15 or v0.50.11. Please upgrade ASAP.
Timeline for ASA-2024-0012
- October 1, 2024, 12:29pm UTC: Issue reported to the Cosmos Bug Bounty program
- October 1, 2024, 2:47pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
- December 9, 2024, 11:13am UTC: Core team completes patch for issue
- Dec 14, 2024,16:00 UTC: Pre-notification delivered
- Dec 16, 2024, 16:00 UTC: Patch made available
This issue was reported to the Cosmos Bug Bounty Program on HackerOne on October 1, 2024.
Timeline for ASA-2024-0013
- October 19, 2024, 8:12pm UTC: Issue reported to the Cosmos Bug Bounty program
- October 19, 2024, 8:28pm UTC: Issue triaged by Amulet on-call, and distributed to Core team
- December 11, 2024, 3:31pm UTC: Core team completes patch for issue
- Dec 14, 2024, 16:00 UTC: Pre-notification delivered
- Dec 16, 2024, 16:00 UTC: Patch made available
This issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 19, 2024.
If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.50.0-alpha.0"
},
{
"fixed": "0.50.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.47.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "cosmossdk.io/x/tx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-16T19:33:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary \n\n### ASA-2024-0012\nName: ASA-2024-0012, Transaction decoding may result in a stack overflow\nComponent: Cosmos SDK\nCriticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: cosmos-sdk versions \u003c= v0.50.10, \u003c= v0.47.14\nAffected users: Chain Builders + Maintainers, Validators, node operators\n\n### ASA-2024-0013\nName: ASA-2024-0013: CosmosSDK: Transaction decoding may result in resource exhaustion \nComponent: Cosmos SDK\nCriticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: cosmos-sdk versions \u003c= v0.50.10, \u003c= v0.47.14\nAffected users: Chain Builders + Maintainers, Validators, node operators\n\n\n\n### Impact\n\n### ASA-2024-0012\n\nWhen decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet.\n\n### ASA-2024-0013\n\nNested messages in a transaction can consume exponential cpu and memory on `UnpackAny` calls. The`max_tx_bytes` sets a limit for external TX but is not applied for internal messages emitted by wasm contracts or a malicious validator block. This may result in a node crashing due to resource exhaustion. This was addressed by adding additional validation to prevent this condition.\n\n\n### Patches\n\nThe issues above are resolved in Cosmos SDK versions v0.47.15 or v0.50.11.\nPlease upgrade ASAP.\n\n### Timeline for ASA-2024-0012\n\n* October 1, 2024, 12:29pm UTC: Issue reported to the Cosmos Bug Bounty program\n* October 1, 2024, 2:47pm UTC: Issue triaged by Amulet on-call, and distributed to Core team\n* December 9, 2024, 11:13am UTC: Core team completes patch for issue\n* Dec 14, 2024,16:00 UTC: Pre-notification delivered\n* Dec 16, 2024, 16:00 UTC: Patch made available\n\nThis issue was reported to the Cosmos Bug Bounty Program on HackerOne on October 1, 2024.\n\n### Timeline for ASA-2024-0013\n\n* October 19, 2024, 8:12pm UTC: Issue reported to the Cosmos Bug Bounty program\n* October 19, 2024, 8:28pm UTC: Issue triaged by Amulet on-call, and distributed to Core team\n* December 11, 2024, 3:31pm UTC: Core team completes patch for issue\n* Dec 14, 2024, 16:00 UTC: Pre-notification delivered\n* Dec 16, 2024, 16:00 UTC: Patch made available\n\nThis issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 19, 2024. \n\n\nIf you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security. ",
"id": "GHSA-8wcc-m6j2-qxvm",
"modified": "2024-12-23T17:13:22Z",
"published": "2024-12-16T19:33:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/commit/c6b1bdcd5628e3e425a3f02881d3c7db1d7af653"
},
{
"type": "PACKAGE",
"url": "https://github.com/cosmos/cosmos-sdk"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.15"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion "
}
GHSA-8WRW-HCVF-R5F8
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2025-01-24 18:31In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leads to infinite recursion and a stack overflow.
{
"affected": [],
"aliases": [
"CVE-2023-2663"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-11T21:15:10Z",
"severity": "MODERATE"
},
"details": "\u00a0In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leads to infinite recursion and a stack overflow.\n\n\n",
"id": "GHSA-8wrw-hcvf-r5f8",
"modified": "2025-01-24T18:31:05Z",
"published": "2023-07-06T21:14:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2663"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?t=42421"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-94GC-V83R-7M7W
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.
{
"affected": [],
"aliases": [
"CVE-2016-9597"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-30T14:29:00Z",
"severity": "HIGH"
},
"details": "It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as CVE-2016-3705.",
"id": "GHSA-94gc-v83r-7m7w",
"modified": "2022-05-13T01:38:28Z",
"published": "2022-05-13T01:38:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9597"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9597"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98567"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.