Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

615 vulnerabilities reference this CWE, most recent first.

GHSA-M6HM-534H-7MXM

Vulnerability from github – Published: 2025-08-04 18:30 – Updated: 2025-08-04 21:30
VLAI
Details

An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the mutool clean utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the strip_outline() function enters infinite recursion

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-04T18:15:34Z",
    "severity": "HIGH"
  },
  "details": "An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion",
  "id": "GHSA-m6hm-534h-7mxm",
  "modified": "2025-08-04T21:30:42Z",
  "published": "2025-08-04T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46206"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=708521"
    },
    {
      "type": "WEB",
      "url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=0ec7e4d2201bb6df217e01c17396d36297abf9ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Landw-hub/CVE-2025-46206"
    },
    {
      "type": "WEB",
      "url": "http://artifex.com"
    },
    {
      "type": "WEB",
      "url": "http://mupdf.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M79Q-HHMW-W23C

Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 15:30
VLAI
Details

FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T07:16:37Z",
    "severity": "MODERATE"
  },
  "details": "FC-SWILS protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
  "id": "GHSA-m79q-hhmw-w23c",
  "modified": "2026-04-30T15:30:38Z",
  "published": "2026-04-30T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5406"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/21070"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/work_items/21070"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-10.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7RC-8W7M-R9QR

Vulnerability from github – Published: 2025-04-10 21:07 – Updated: 2025-04-10 21:08
VLAI
Summary
SurrealDB vulnerable to memory exhaustion via nested functions and scripts
Details

In order to prevent DoS situations due to infinite recursions, SurrealDB implements a limit of nested calls for both native functions and embedded JavaScript functions.

However, in SurrealDB instances with embedded scripting functions enabled, it was found that this limit can be circumvented by utilizing both at the same time. If a native function contains JavaScript which issues a new query that calls that function, the recursion limit is not triggered.

Once executed, SurrealDB will follow the path of infinite recursions until the system runs out of memory, prior to the recursion limit being triggered.

This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or --allow-all and equivalent environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.

This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Medium, matched by our CVSS v4 assessment.

Impact

For SurrealDB instances with embedded scripting functions enabled, this attack could be used to perform a DoS attack on the server by an authenticated user.

Patches

A patch has been created that further limits scripting function call limit recursion depth and disallows multiple calls to surreadb.query() to run in parallel in a scripting function.

  • Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.

Workarounds

Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.

References

SurrealDB Documentation - Capabilities SurrealQL Documentation - Scripting Functions

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T21:07:44Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "In order to prevent DoS situations due to infinite recursions, SurrealDB implements a limit of nested calls for both native functions and embedded JavaScript functions.\n\nHowever, in SurrealDB instances with embedded scripting functions enabled, it was found that this limit can be circumvented by utilizing both at the same time. If a native function contains JavaScript which issues a new query that calls that function, the recursion limit is not triggered.\n\nOnce executed, SurrealDB will follow the path of infinite recursions until the system runs out of memory, prior to the recursion limit being triggered.\n\nThis vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with `--allow-scripting` or \n`--allow-all` and equivalent environment variables `SURREAL_CAPS_ALLOW_SCRIPT=true` and `SURREAL_CAPS_ALLOW_ALL=true`.\n\nThis issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53\u0027s preliminary finding is Medium, matched by our CVSS v4 assessment.\n\n### Impact\nFor SurrealDB instances with embedded scripting functions enabled, this attack could be used to perform a DoS attack on the server by an authenticated user. \n\n### Patches\nA patch has been created that further limits scripting function call limit recursion depth and disallows multiple calls to `surreadb.query()` to run in parallel in a scripting function.\n\n- Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.\n\n### Workarounds\nDeny execution of embedded scripting functions through the configuration of [capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities#capabilities) by starting SurrealDB with the `--deny-scripting` flag or the equivalent environment variable `SURREAL_CAPS_DENY_SCRIPT=true`. This has a usability implication, although scripting functions are disabled by default.\n\n### References\n[SurrealDB Documentation - Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n[SurrealQL Documentation - Scripting Functions](https://surrealdb.com/docs/surrealql/functions/script)",
  "id": "GHSA-m7rc-8w7m-r9qr",
  "modified": "2025-04-10T21:08:00Z",
  "published": "2025-04-10T21:07:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-m7rc-8w7m-r9qr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SurrealDB vulnerable to memory exhaustion via nested functions and scripts"
}

GHSA-M7W9-72W4-PJR5

Vulnerability from github – Published: 2025-01-08 06:30 – Updated: 2025-01-08 06:30
VLAI
Details

cpdf through 2.8 allows stack consumption via a crafted PDF document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T05:15:11Z",
    "severity": "MODERATE"
  },
  "details": "cpdf through 2.8 allows stack consumption via a crafted PDF document.",
  "id": "GHSA-m7w9-72w4-pjr5",
  "modified": "2025-01-08T06:30:55Z",
  "published": "2025-01-08T06:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/johnwhitington/cpdf-source/issues/366"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MCGJ-MGJ8-8CR3

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "libqpdf.a in QPDF through 8.0.2 mishandles certain \"expected dictionary key but found non-name object\" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because nesting in direct objects is not restricted.",
  "id": "GHSA-mcgj-mgj8-8cr3",
  "modified": "2022-05-13T01:53:58Z",
  "published": "2022-05-13T01:53:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qpdf/qpdf/issues/202"
    },
    {
      "type": "WEB",
      "url": "https://github.com/qpdf/qpdf/commit/b4d6cf6836ce025ba1811b7bbec52680c7204223"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3638-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHPP-875W-9CPV

Vulnerability from github – Published: 2018-01-22 13:32 – Updated: 2025-09-02 22:35
VLAI
Summary
Denial of Service in jquery
Details

Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.

Recommendation

Update to version 3.0.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc.1"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0-rc.1"
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "jQuery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc.1"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0-rc.1"
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.webjars.npm:jquery"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc1"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0-rc1"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "jquery-rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-rc.1"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0-rc.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:46:22Z",
    "nvd_published_at": "2018-01-18T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "Affected versions of `jquery` use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, `jquery` enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.",
  "id": "GHSA-mhpp-875w-9cpv",
  "modified": "2025-09-02T22:35:01Z",
  "published": "2018-01-22T13:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery/issues/3133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery/issues/3133#issuecomment-358978489"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery/jquery/pull/3134"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mhpp-875w-9cpv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jquery/jquery"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2016-10707.yml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:jquery:20160529"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/330"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in jquery"
}

GHSA-MHWH-83QC-J6X4

Vulnerability from github – Published: 2026-06-23 18:31 – Updated: 2026-06-23 18:31
VLAI
Details

MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71382"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T18:17:41Z",
    "severity": "HIGH"
  },
  "details": "MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.",
  "id": "GHSA-mhwh-83qc-j6x4",
  "modified": "2026-06-23T18:31:43Z",
  "published": "2026-06-23T18:31:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71382"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArtifexSoftware/mupdf/commit/70b71ab22e6de4d4c44cd301c88231f623a4e94e"
    },
    {
      "type": "WEB",
      "url": "https://bugs.ghostscript.com/show_bug.cgi?id=708840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0-rc1"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/mupdf-rc1-stack-exhaustion-dos-via-epub-css-rendering"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MJRG-RF9G-9J6R

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

An issue was discovered in the function expr6 in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6 function making recursive calls to itself in certain scenarios involving lots of '!' or '+' or '-' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-15T00:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the function expr6 in eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion problem caused by the expr6 function making recursive calls to itself in certain scenarios involving lots of \u0027!\u0027 or \u0027+\u0027 or \u0027-\u0027 characters. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted asm file.",
  "id": "GHSA-mjrg-rf9g-9j6r",
  "modified": "2022-05-13T01:22:40Z",
  "published": "2022-05-13T01:22:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6291"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.nasm.us/show_bug.cgi?id=3392549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MQMP-4MCP-VG8V

Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-11-07 22:19
VLAI
Summary
Apache ORC vulnerable to Uncontrolled Recursion
Details

In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.orc:orc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-8015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-07T22:19:20Z",
    "nvd_published_at": "2018-05-18T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an endlessly recursive function call in the C++ or Java parser. The impact of this bug is most likely denial-of-service against software that uses the ORC file parser. With the C++ parser, the stack overflow might possibly corrupt the stack.",
  "id": "GHSA-mqmp-4mcp-vg8v",
  "modified": "2022-11-07T22:19:20Z",
  "published": "2022-05-13T01:20:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8015"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/orc/pull/266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/orc/commit/d5018d309a8adc6b8e0567cb692a17371d16e108"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/orc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/orc/blob/9cf9d26a20ac4d43911d7967ecaef8ef26b60594/site/security/CVE-2018-8015.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/orc/commits/rel/release-1.4.4"
    },
    {
      "type": "WEB",
      "url": "https://orc.apache.org/security/CVE-2018-8015"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache ORC vulnerable to Uncontrolled Recursion"
}

GHSA-MR64-XWWR-MX4C

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, and thus could result in a stack overflow. A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are affected. Arm systems are not affected. Only x86 stubdomains serving HVM guests can exploit the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has completed its operation, via an event channel, so that the relevant vCPU is rescheduled. If the device model were to signal Xen without having actually completed the operation, the de-schedule / re-schedule cycle would repeat. If, in addition, Xen is resignalled very quickly, the re-schedule may occur before the de-schedule was fully complete, triggering a shortcut. This potentially repeating process uses ordinary recursive function calls, and thus could result in a stack overflow. A malicious or buggy stubdomain serving a HVM guest can cause Xen to crash, resulting in a Denial of Service (DoS) to the entire host. Only x86 systems are affected. Arm systems are not affected. Only x86 stubdomains serving HVM guests can exploit the vulnerability.",
  "id": "GHSA-mr64-xwwr-mx4c",
  "modified": "2022-05-24T17:36:34Z",
  "published": "2022-05-24T17:36:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29566"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2C6M6S3CIMEBACH6O7V4H2VDANMO6TVA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLV6L6Q24PPQ2CRFXDX4Q76KU776GKI"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-30"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4812"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-348.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.