CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
621 vulnerabilities reference this CWE, most recent first.
GHSA-WF5X-CR3R-XR77
Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-22 16:32This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10761"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-15T18:36:08Z",
"nvd_published_at": "2022-07-13T09:15:00Z",
"severity": "HIGH"
},
"details": "This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the \"sandboxed\" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of the host code running the script allowing it to spawn a child_process and execute arbitrary code.",
"id": "GHSA-wf5x-cr3r-xr77",
"modified": "2022-07-22T16:32:45Z",
"published": "2022-07-14T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10761"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/issues/197"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832"
},
{
"type": "WEB",
"url": "https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90"
},
{
"type": "WEB",
"url": "https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a"
},
{
"type": "PACKAGE",
"url": "https://github.com/patriksimek/vm2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-VM2-473188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "vm2 before 3.6.11 vulnerable to sandbox escape"
}
GHSA-WFJV-JM8J-274F
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2026-05-12 12:31A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.
{
"affected": [],
"aliases": [
"CVE-2019-13103"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-29T15:15:00Z",
"severity": "LOW"
},
"details": "A crafted self-referential DOS partition table will cause all Das U-Boot versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow infinitely and eventually either crash or overwrite other data.",
"id": "GHSA-wfjv-jm8j-274f",
"modified": "2026-05-12T12:31:26Z",
"published": "2022-05-24T16:51:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13103"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-577017.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-618620.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-618620.pdf"
},
{
"type": "WEB",
"url": "https://gist.github.com/deephooloovoo/d91b81a1674b4750e662dfae93804d75"
},
{
"type": "WEB",
"url": "https://github.com/u-boot/u-boot/commits/master"
},
{
"type": "WEB",
"url": "https://lists.denx.de/pipermail/u-boot/2019-July/375512.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFR3-XJ75-PFWH
Vulnerability from github – Published: 2026-06-25 21:22 – Updated: 2026-06-25 21:22Summary
Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStep(ref reader) and do not decrement reader.Depth around recursive deserialization and skip paths.
This means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls reader.Skip() on attacker-controlled data without an enclosing depth step.
Impact
Applications are affected when they deserialize untrusted payloads into object graphs containing [Union]-decorated interfaces or abstract classes handled by DynamicUnionResolver.
An attacker can provide a union payload with an unknown key and a deeply nested value. Because the generated union formatter does not enter the depth accounting scope before skipping or recursively processing the value, configured depth limits can be bypassed. In combination with recursive skip behavior, this can terminate the process with an uncatchable StackOverflowException.
This issue is narrower than the general TrySkip() recursion issue because it specifically concerns a formatter-generation path that fails to count union nesting. It remains independently fixable because the emitted IL should mirror the depth-step behavior used by source-generated union formatters and dynamic object formatters.
Affected components
- Package:
MessagePack - API:
DynamicUnionResolver.BuildDeserialize - Data types:
[Union]-decorated interface and abstract class hierarchies handled by the dynamic resolver - Finding ID:
MESSAGEPACKCSHARP-070
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should emit DepthStep and matching reader.Depth-- cleanup in dynamic union deserializers, consistent with other recursive formatter implementations.
Workarounds
Patching is recommended.
Until a patched version is available, avoid deserializing untrusted payloads into dynamically resolved [Union] types. Prefer source-generated formatters that include depth checks, where applicable, and enforce outer message-size and schema constraints.
Resources
MESSAGEPACKCSHARP-070: dynamic union deserializer missing depth-step enforcement- CWE-674: Uncontrolled Recursion
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.301"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48513"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:22:52Z",
"nvd_published_at": "2026-06-22T22:16:48Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nRuntime-generated union deserializers emitted by `DynamicUnionResolver` do not call `MessagePackSecurity.DepthStep(ref reader)` and do not decrement `reader.Depth` around recursive deserialization and skip paths.\n\nThis means union deserialization does not consistently participate in the maximum object graph depth enforcement that protects other recursive formatter paths. For unknown union keys, the emitted deserializer calls `reader.Skip()` on attacker-controlled data without an enclosing depth step.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads into object graphs containing `[Union]`-decorated interfaces or abstract classes handled by `DynamicUnionResolver`.\n\nAn attacker can provide a union payload with an unknown key and a deeply nested value. Because the generated union formatter does not enter the depth accounting scope before skipping or recursively processing the value, configured depth limits can be bypassed. In combination with recursive skip behavior, this can terminate the process with an uncatchable `StackOverflowException`.\n\nThis issue is narrower than the general `TrySkip()` recursion issue because it specifically concerns a formatter-generation path that fails to count union nesting. It remains independently fixable because the emitted IL should mirror the depth-step behavior used by source-generated union formatters and dynamic object formatters.\n\n## Affected components\n\n- Package: `MessagePack`\n- API: `DynamicUnionResolver.BuildDeserialize`\n- Data types: `[Union]`-decorated interface and abstract class hierarchies handled by the dynamic resolver\n- Finding ID: `MESSAGEPACKCSHARP-070`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should emit `DepthStep` and matching `reader.Depth--` cleanup in dynamic union deserializers, consistent with other recursive formatter implementations.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted payloads into dynamically resolved `[Union]` types. Prefer source-generated formatters that include depth checks, where applicable, and enforce outer message-size and schema constraints.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-070`: dynamic union deserializer missing depth-step enforcement\n- CWE-674: Uncontrolled Recursion",
"id": "GHSA-wfr3-xj75-pfwh",
"modified": "2026-06-25T21:22:52Z",
"published": "2026-06-25T21:22:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-wfr3-xj75-pfwh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48513"
},
{
"type": "PACKAGE",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MessagePack-CSharp: DynamicUnionResolver-generated deserializers miss depth enforcement"
}
GHSA-WGH7-7M3C-FX25
Vulnerability from github – Published: 2026-03-19 21:30 – Updated: 2026-07-06 13:06Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOverflowException. In .NET, a StackOverflowException cannot be caught by standard try-catch blocks, resulting in the immediate and ungraceful termination of the entire hosting process.
Scriban utilizes a recursive-descent parser to process template expressions. While the library exposes an ExpressionDepthLimit property in its ParserOptions, this property defaults to null (disabled).
If an application accepts user-supplied templates (or dynamically constructs templates from untrusted input), an attacker can supply thousands of nested parentheses or blocks. As the parser recursively evaluates each nested layer, it consumes thread stack space until it exceeds the limits of the host OS, triggering a fatal crash.
Impact
An attacker can supply crafted input that triggers a StackOverflowException, causing immediate termination of the hosting process and resulting in a Denial of Service. In applications that process untrusted or user-controlled templates (e.g., web applications or APIs), this can be exploited remotely without authentication. The failure is not recoverable, requiring a full process restart and leading to service disruption.
Proof of Concept (PoC)
The following C# code demonstrates the vulnerability. Executing this code will immediately terminate the application process.
using Scriban;
// Creates a deeply nested expression: (((( ... (1) ... ))))
string nested = new string('(', 10000) + "1" + new string(')', 10000);
try {
// This will crash the entire process immediately
Scriban.Template.Parse("{{ " + nested + " }}");
} catch (Exception ex) {
// This catch block will never execute because StackOverflowException
Console.WriteLine("Caught exception: " + ex.Message);
}
Suggested Remediation
Update the ParserOptions constructor (or the internal parser initialization) to set a default value for ExpressionDepthLimit. A limit of 1000 (or even lower, such as 250 or 500) is generally more than enough for legitimate templates while safely preventing stack exhaustion.
public int? ExpressionDepthLimit { get; set; } = 250;
Alternatively, document the risk heavily and warn developers to manually set ExpressionDepthLimit if evaluating untrusted templates, though a secure-by-default approach is strongly preferred.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.8"
},
"package": {
"ecosystem": "NuGet",
"name": "scriban"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.5.8"
},
"package": {
"ecosystem": "NuGet",
"name": "Scriban.Signed"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T21:30:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a `StackOverflowException`. In .NET, a `StackOverflowException` cannot be caught by standard `try-catch` blocks, resulting in the immediate and ungraceful termination of the entire hosting process. \n\nScriban utilizes a recursive-descent parser to process template expressions. While the library exposes an `ExpressionDepthLimit` property in its `ParserOptions`, this property defaults to `null` (disabled). \n\nIf an application accepts user-supplied templates (or dynamically constructs templates from untrusted input), an attacker can supply thousands of nested parentheses or blocks. As the parser recursively evaluates each nested layer, it consumes thread stack space until it exceeds the limits of the host OS, triggering a fatal crash.\n\n#### Impact\n\nAn attacker can supply crafted input that triggers a `StackOverflowException`, causing immediate termination of the hosting process and resulting in a Denial of Service. In applications that process untrusted or user-controlled templates (e.g., web applications or APIs), this can be exploited remotely without authentication. The failure is not recoverable, requiring a full process restart and leading to service disruption.\n\n#### Proof of Concept (PoC)\nThe following C# code demonstrates the vulnerability. Executing this code will immediately terminate the application process.\n\n```csharp\nusing Scriban;\n\n// Creates a deeply nested expression: (((( ... (1) ... ))))\nstring nested = new string(\u0027(\u0027, 10000) + \"1\" + new string(\u0027)\u0027, 10000);\n\ntry {\n // This will crash the entire process immediately\n Scriban.Template.Parse(\"{{ \" + nested + \" }}\");\n} catch (Exception ex) {\n // This catch block will never execute because StackOverflowException\n Console.WriteLine(\"Caught exception: \" + ex.Message);\n}\n```\n\n#### Suggested Remediation\n\nUpdate the `ParserOptions` constructor (or the internal parser initialization) to set a default value for `ExpressionDepthLimit`. A limit of `1000` (or even lower, such as `250` or `500`) is generally more than enough for legitimate templates while safely preventing stack exhaustion.\n\n```csharp\npublic int? ExpressionDepthLimit { get; set; } = 250; \n```\nAlternatively, document the risk heavily and warn developers to manually set `ExpressionDepthLimit` if evaluating untrusted templates, though a secure-by-default approach is strongly preferred.",
"id": "GHSA-wgh7-7m3c-fx25",
"modified": "2026-07-06T13:06:02Z",
"published": "2026-03-19T21:30:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/security/advisories/GHSA-wgh7-7m3c-fx25"
},
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/commit/a6fe6074199e5c04f4d29dc8d8e652b24d33e3e4"
},
{
"type": "WEB",
"url": "https://github.com/scriban/scriban/commit/b5ac4bf30459fdc76964e3f751e16f7e96079ea7"
},
{
"type": "PACKAGE",
"url": "https://github.com/scriban/scriban"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)"
}
GHSA-WJM4-HW2R-M766
Vulnerability from github – Published: 2025-04-17 03:30 – Updated: 2025-04-17 03:30VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference='../../../set/set[2]' is used, aka an "insecure deserialization" issue.
{
"affected": [],
"aliases": [
"CVE-2025-43708"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T01:15:46Z",
"severity": "LOW"
},
"details": "VisiCut 2.1 allows stack consumption via an XML document with nested set elements, as demonstrated by a java.util.HashMap StackOverflowError when reference=\u0027../../../set/set[2]\u0027 is used, aka an \"insecure deserialization\" issue.",
"id": "GHSA-wjm4-hw2r-m766",
"modified": "2025-04-17T03:30:30Z",
"published": "2025-04-17T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43708"
},
{
"type": "WEB",
"url": "https://github.com/Gelcon/PoC-of-VisiCut2_1-Stack-Overflow-Vul"
},
{
"type": "WEB",
"url": "https://github.com/t-oster/VisiCut"
},
{
"type": "WEB",
"url": "https://visicut.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-WJWR-9F4Q-Q8H8
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-05-24 16:56In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
{
"affected": [],
"aliases": [
"CVE-2019-11779"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more \u0027/\u0027 characters, i.e. the topic hierarchy separator, then a stack overflow will occur.",
"id": "GHSA-wjwr-9f4q-q8h8",
"modified": "2022-05-24T16:56:28Z",
"published": "2022-05-24T16:56:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11779"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWNVTFA2CKXERXRYPYE2YFTZP4GNBGYY"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Nov/25"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4137-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4570"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WMHF-FQC8-VXHH
Vulnerability from github – Published: 2026-05-19 20:10 – Updated: 2026-07-06 22:53Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.
Credit
Ori Nakar from Imperva Threat Research Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sqlfluff"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46373"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T20:10:17Z",
"nvd_published_at": "2026-06-09T23:16:59Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.\n\n### Patches\n\nVersions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.\n\n### Credit\n\nOri Nakar from Imperva Threat Research Team.",
"id": "GHSA-wmhf-fqc8-vxhh",
"modified": "2026-07-06T22:53:18Z",
"published": "2026-05-19T20:10:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46373"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/sqlfluff/PYSEC-2026-209.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sqlfluff/sqlfluff"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SQLFluff: Recursive Stack Overflow in Parser"
}
GHSA-WQH3-2WQG-RQ54
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
{
"affected": [],
"aliases": [
"CVE-2019-9904"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T18:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in lib\\cdt\\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\\cgraph\\graph.c in libcgraph.a, related to agfstsubg in lib\\cgraph\\subg.c.",
"id": "GHSA-wqh3-2wqg-rq54",
"modified": "2022-05-13T01:08:56Z",
"published": "2022-05-13T01:08:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9904"
},
{
"type": "WEB",
"url": "https://gitlab.com/graphviz/graphviz/issues/1512"
},
{
"type": "WEB",
"url": "https://research.loginsoft.com/bugs/stack-buffer-overflow-in-function-agclose-graphviz"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WR8R-279J-G4XP
Vulnerability from github – Published: 2025-10-12 15:30 – Updated: 2025-10-12 15:30IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.
{
"affected": [],
"aliases": [
"CVE-2025-33096"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T14:15:36Z",
"severity": "MODERATE"
},
"details": "IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.",
"id": "GHSA-wr8r-279j-g4xp",
"modified": "2025-10-12T15:30:16Z",
"published": "2025-10-12T15:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33096"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7247716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVRR-4W4F-3V54
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
{
"affected": [],
"aliases": [
"CVE-2026-9740"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T23:17:03Z",
"severity": "HIGH"
},
"details": "A vulnerability in MongoDB Server\u0027s BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator\u0027s handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.",
"id": "GHSA-wvrr-4w4f-3v54",
"modified": "2026-06-10T00:31:50Z",
"published": "2026-06-10T00:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9740"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-125063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.