Common Weakness Enumeration

CWE-835

Allowed

Loop with Unreachable Exit Condition ('Infinite Loop')

Abstraction: Base · Status: Incomplete

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

1052 vulnerabilities reference this CWE, most recent first.

GHSA-5F5P-267H-86W3

Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30
VLAI
Details

GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T07:16:39Z",
    "severity": "MODERATE"
  },
  "details": "GNW protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
  "id": "GHSA-5f5p-267h-86w3",
  "modified": "2026-04-30T09:30:24Z",
  "published": "2026-04-30T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6523"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/work_items/21177"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-38.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5F8V-5QR6-FHHP

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-14 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure

When ttm_tt_swapout() fails, the current code calls ttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail() to restore the resource's bulk_move membership.

However, ttm_resource_move_to_lru_tail() places the resource at the tail of the LRU list which, relative to the walk cursor's hitch node (placed immediately after the resource when it was yielded), puts the resource in front of the the hitch. The next list_for_each_entry_continue() from the hitch finds the same resource again, causing an infinite loop.

Fix by deferring del_bulk_move to the success path only.

On the success path, TTM_TT_FLAG_SWAPPED has just been set by ttm_tt_swapout() but the resource is still tracked in the bulk_move range, so ttm_resource_del_bulk_move()'s !ttm_resource_unevictable() guard would incorrectly skip the removal. Introduce ttm_resource_del_bulk_move_unevictable() which bypasses that guard.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: Fix ttm_bo_swapout() infinite LRU walk on swapout failure\n\nWhen ttm_tt_swapout() fails, the current code calls\nttm_resource_add_bulk_move() followed by ttm_resource_move_to_lru_tail()\nto restore the resource\u0027s bulk_move membership.\n\nHowever, ttm_resource_move_to_lru_tail() places the resource at the tail\nof the LRU list which, relative to the walk cursor\u0027s hitch node (placed\nimmediately after the resource when it was yielded), puts the resource\n*in front of the* the hitch. The next list_for_each_entry_continue() from\nthe hitch finds the same resource again, causing an infinite loop.\n\nFix by deferring del_bulk_move to the success path only.\n\nOn the success path, TTM_TT_FLAG_SWAPPED has just been set by\nttm_tt_swapout() but the resource is still tracked in the bulk_move range,\nso ttm_resource_del_bulk_move()\u0027s !ttm_resource_unevictable() guard would\nincorrectly skip the removal. Introduce\nttm_resource_del_bulk_move_unevictable() which bypasses that guard.",
  "id": "GHSA-5f8v-5qr6-fhhp",
  "modified": "2026-07-14T21:31:26Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52965"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0124a09e3e5f5f6080efe9663b27af27933f8382"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2ed01e7ad3de80333e9b962a44024b094bc0b2b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GMM-5672-7W8F

Vulnerability from github – Published: 2022-09-07 00:01 – Updated: 2022-09-10 00:00
VLAI
Details

A Denial-of-Service vulnerability was discovered in the F-Secure and WithSecure products where aerdl.dll may go into an infinite loop when unpacking PE files. It is possible that this can crash the scanning engine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Denial-of-Service vulnerability was discovered in the F-Secure and WithSecure products where aerdl.dll may go into an infinite loop when unpacking PE files. It is possible that this can crash the scanning engine.",
  "id": "GHSA-5gmm-5672-7w8f",
  "modified": "2022-09-10T00:00:30Z",
  "published": "2022-09-07T00:01:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28884"
    },
    {
      "type": "WEB",
      "url": "https://www.withsecure.com/en/expertise/people"
    },
    {
      "type": "WEB",
      "url": "https://www.withsecure.com/en/support/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5GWR-VQFX-WJ2M

Vulnerability from github – Published: 2025-12-03 09:31 – Updated: 2025-12-03 09:31
VLAI
Details

MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13946"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-03T08:15:48Z",
    "severity": "MODERATE"
  },
  "details": "MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service",
  "id": "GHSA-5gwr-vqfx-wj2m",
  "modified": "2025-12-03T09:31:12Z",
  "published": "2025-12-03T09:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13946"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/20884"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2025-08.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5H4J-QRVG-9XHW

Vulnerability from github – Published: 2023-02-16 18:44 – Updated: 2023-02-16 21:52
VLAI
Summary
Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
Details

Description

When using the non-default "fallback" crypto back-end, ECC operations in node-jose can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation. For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input.

Technical summary

The JOSE logic implemented by node-jose usually relies on an external cryptographic library for the underlying cryptographic primitives that JOSE operations require. When WebCrypto or the Node crypto module are available, they are used. When neither of these libraries is available, node-jose includes its own "fallback" implementations of some algorithms based on node-forge, in particular implementations of ECDH and ECDSA.

A various points, these algorithm implementations need to compute to the X coordinate of an elliptic curve point. This is done by calling the getX() method of the object representing the point, which is an alias of the function pointFpGetX() in lib/deps/ecc/math.js.

Computing the X coordinate from the form in which the point is stored requires computing the modular inverse of the Z coordinate, using the modInverse function from the jsbn library (e.g., this.z.modInverse(this.curve.p)). The output of this function call is multiplied by another value before being reduced with the barrettReduce() function.

The root cause of this issue is that the jsbn modInverse function sometimes returns negative results. These results are correct in that they are equivalent mod the relevant modulus, but can be problematic for functions that expect modular operations to always return positive results (in the range [0, p), where p is the modulus).

In particular, while the Barrett reduction algorithm in general can handle negative inputs, the implementation in node-jose explicitly does not. Therefore, while the negative value that is returned by modInverse() is mathematically correct, it leads to an error in barrettReduce() causing an infinite loop which may result in a Denial of Service condition.

For a given prime modulus, we estimate that roughly one in every 2^20 inputs produce a negative modInverse(). This estimate was validated with exhaustive testing on small primes (<30 bits) and randomized testing with regard to the P-256 prime.

Impact

This issue is only present in situations where the "fallback" cryptographic implementation is being used, i.e., situations where neither WebCrypto nor the Node crypto module is available.

The following elliptic curve algorithms are impacted by this issue (all in lib/deps/ecc/index.js):

  • Elliptic curve key generation (exports.generateKeyPair)
  • Converting an elliptic curve private key to a public key (ECPrivateKey.prototype.toPublicKey)
  • ECDSA signing (ECPrivateKey.prototype.sign)
  • ECDSA verification (ECPublicKey.prototype.verify)
  • ECDH key agreement (ECPrivateKey.prototype.computeSecret)

In the first three cases, the points being evaluated are generated randomly, so an attack could only arise due to a bad value being randomly selected (as noted above, with probability roughly 2^{-20}). In the latter two cases, the points being evaluated are provided from outside the library, and thus potentially by attackers.

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Since this issue is only present in the "fallback" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node crypto module is available in the JS environment where node-jose is being run.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in cisco/node-jose * Email Cisco open source security

Credits

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25653"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-16T18:44:47Z",
    "nvd_published_at": "2023-02-16T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Description\n\nWhen using the non-default \"fallback\" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) condition, due to a possible infinite loop in an internal calculation.  For some ECC operations, this condition is triggered randomly; for others, it can be triggered by malicious input.\n\n#### Technical summary\n\nThe JOSE logic implemented by `node-jose` usually relies on an external cryptographic library for the underlying cryptographic primitives that JOSE operations require.  When WebCrypto or the Node `crypto` module are available, they are used.  When neither of these libraries is available, `node-jose` includes its own \"fallback\" implementations of some algorithms based on `node-forge`, in particular implementations of ECDH and ECDSA. \n\nA various points, these algorithm implementations need to compute to the X coordinate of an elliptic curve point.  This is done by calling the `getX()` method of the object representing the point, which is an alias of the function `pointFpGetX()` in `lib/deps/ecc/math.js`.\n\nComputing the X coordinate from the form in which the point is stored requires computing the modular inverse of the Z coordinate, using the `modInverse` function from the `jsbn` library (e.g., `this.z.modInverse(this.curve.p)`).  The output of this function call is multiplied by another value before being reduced with the `barrettReduce()` function.\n\nThe root cause of this issue is that the `jsbn` `modInverse` function sometimes returns negative results.  These results are correct in that they are equivalent mod the relevant modulus, but can be problematic for functions that expect modular operations to always return positive results (in the range `[0, p)`, where `p` is the modulus).\n\nIn particular, while the Barrett reduction algorithm in general can handle negative inputs, the implementation in `node-jose` explicitly does not. Therefore, while the negative value that is returned by `modInverse()` is mathematically correct, it leads to an error in `barrettReduce()` causing an infinite loop which may result in a Denial of Service condition.\n\nFor a given prime modulus, we estimate that roughly one in every `2^20` inputs produce a negative `modInverse()`.  This estimate was validated with exhaustive testing on small primes (\u003c30 bits) and randomized testing with regard to the P-256 prime.\n\n### Impact\n\nThis issue is only present in situations where the \"fallback\" cryptographic implementation is being used, i.e., situations where neither WebCrypto nor the Node `crypto` module is available.\n\nThe following elliptic curve algorithms are impacted by this issue (all in `lib/deps/ecc/index.js`):\n\n- Elliptic curve key generation (`exports.generateKeyPair`)\n- Converting an elliptic curve private key to a public key (`ECPrivateKey.prototype.toPublicKey`)\n- ECDSA signing (`ECPrivateKey.prototype.sign`)\n- ECDSA verification (`ECPublicKey.prototype.verify`)\n- ECDH key agreement (`ECPrivateKey.prototype.computeSecret`)\n\nIn the first three cases, the points being evaluated are generated randomly, so an attack could only arise due to a bad value being randomly selected (as noted above, with probability roughly `2^{-20}`).  In the latter two cases, the points being evaluated are provided from outside the library, and thus potentially by attackers.\n\n### Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\n### Workarounds\n\nSince this issue is only present in the \"fallback\" crypto implementation, it can be avoided by ensuring that either WebCrypto or the Node `crypto` module is available in the JS environment where `node-jose` is being run.\n\n### References\n\n- [Barrett reduction on Wikipedia](https://en.wikipedia.org/wiki/Barrett_reduction)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [cisco/node-jose](https://github.com/cisco/node-jose/issues)\n* Email [Cisco open source security](mailto:oss-security@cisco.com)\n\n### Credits\n\n- Research and disclosure: BlackBerry\n- Fix implementation: [Richard Barnes (@bifurcation)](https://github.com/bifurcation)\n- Release engineering: [Stephen Augustus (@justaugustus)](https://github.com/justaugustus)\n",
  "id": "GHSA-5h4j-qrvg-9xhw",
  "modified": "2023-02-16T21:52:40Z",
  "published": "2023-02-16T18:44:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisco/node-jose/commit/901d91508a70e3b9bdfc45688ea07bb4e1b8210d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cisco/node-jose"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)"
}

GHSA-5J63-8Q43-CHWW

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netlink: avoid infinite retry looping in netlink_unicast()

netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has:

rmem < READ_ONCE(sk->sk_rcvbuf)

to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under:

rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)

The checks don't cover the case when skb->truesize + sk->sk_rmem_alloc is equal to sk->sk_rcvbuf. Thus the function neither successfully accepts these conditions, nor manages to reschedule the task - and is called in retry loop for indefinite time which is caught as:

rcu: INFO: rcu_sched self-detected stall on CPU rcu: 0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212 (t=26000 jiffies g=230833 q=259957) NMI backtrace for cpu 0 CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014 Call Trace: dump_stack lib/dump_stack.c:120 nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62 rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335 rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590 update_process_times kernel/time/timer.c:1953 tick_sched_handle kernel/time/tick-sched.c:227 tick_sched_timer kernel/time/tick-sched.c:1399 __hrtimer_run_queues kernel/time/hrtimer.c:1652 hrtimer_interrupt kernel/time/hrtimer.c:1717 __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113 asm_call_irq_on_stack arch/x86/entry/entry_64.S:808

netlink_attachskb net/netlink/af_netlink.c:1234 netlink_unicast net/netlink/af_netlink.c:1349 kauditd_send_queue kernel/audit.c:776 kauditd_thread kernel/audit.c:897 kthread kernel/kthread.c:328 ret_from_fork arch/x86/entry/entry_64.S:304

Restore the original behavior of the check which commit in Fixes accidentally missed when restructuring the code.

Found by Linux Verification Center (linuxtesting.org).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T16:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_unicast()\n\nnetlink_attachskb() checks for the socket\u0027s read memory allocation\nconstraints. Firstly, it has:\n\n  rmem \u003c READ_ONCE(sk-\u003esk_rcvbuf)\n\nto check if the just increased rmem value fits into the socket\u0027s receive\nbuffer. If not, it proceeds and tries to wait for the memory under:\n\n  rmem + skb-\u003etruesize \u003e READ_ONCE(sk-\u003esk_rcvbuf)\n\nThe checks don\u0027t cover the case when skb-\u003etruesize + sk-\u003esk_rmem_alloc is\nequal to sk-\u003esk_rcvbuf. Thus the function neither successfully accepts\nthese conditions, nor manages to reschedule the task - and is called in\nretry loop for indefinite time which is caught as:\n\n  rcu: INFO: rcu_sched self-detected stall on CPU\n  rcu:     0-....: (25999 ticks this GP) idle=ef2/1/0x4000000000000000 softirq=262269/262269 fqs=6212\n  (t=26000 jiffies g=230833 q=259957)\n  NMI backtrace for cpu 0\n  CPU: 0 PID: 22 Comm: kauditd Not tainted 5.10.240 #68\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc42 04/01/2014\n  Call Trace:\n  \u003cIRQ\u003e\n  dump_stack lib/dump_stack.c:120\n  nmi_cpu_backtrace.cold lib/nmi_backtrace.c:105\n  nmi_trigger_cpumask_backtrace lib/nmi_backtrace.c:62\n  rcu_dump_cpu_stacks kernel/rcu/tree_stall.h:335\n  rcu_sched_clock_irq.cold kernel/rcu/tree.c:2590\n  update_process_times kernel/time/timer.c:1953\n  tick_sched_handle kernel/time/tick-sched.c:227\n  tick_sched_timer kernel/time/tick-sched.c:1399\n  __hrtimer_run_queues kernel/time/hrtimer.c:1652\n  hrtimer_interrupt kernel/time/hrtimer.c:1717\n  __sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1113\n  asm_call_irq_on_stack arch/x86/entry/entry_64.S:808\n  \u003c/IRQ\u003e\n\n  netlink_attachskb net/netlink/af_netlink.c:1234\n  netlink_unicast net/netlink/af_netlink.c:1349\n  kauditd_send_queue kernel/audit.c:776\n  kauditd_thread kernel/audit.c:897\n  kthread kernel/kthread.c:328\n  ret_from_fork arch/x86/entry/entry_64.S:304\n\nRestore the original behavior of the check which commit in Fixes\naccidentally missed when restructuring the code.\n\nFound by Linux Verification Center (linuxtesting.org).",
  "id": "GHSA-5j63-8q43-chww",
  "modified": "2026-07-14T15:31:27Z",
  "published": "2025-09-05T18:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38727"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/346c820ef5135cf062fa3473da955ef8c5fb6929"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44ddd7b1ae0b7edb2c832eb16798c827a05e58f0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47d49fd07f86d1f55ea1083287303d237e9e0922"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bee383ff83352a693d03efdf27cdd80742f71b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/759dfc7d04bab1b0b86113f1164dc1fec192b859"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/78fcd69d55c5f11d7694c547eca767a1cfd38ec4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d42b71a34f6b8a2d5c53df81169b03b8d8b5cf4e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8edc7de688791a337c068693f22e8d8b869df71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f324959ad47e62e3cadaffa65d3cff790fb48529"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JQP-QGF6-3PVH

Vulnerability from github – Published: 2021-05-13 20:23 – Updated: 2026-06-09 13:01
VLAI
Summary
Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic
Details

Impact

Passing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU). Patches

Pydantic is be patched with fixes available in the following versions:

v1.8.2
v1.7.4
v1.6.2

All these versions are available on pypi, and will be available on conda-forge soon.

See the changelog for details. Workarounds

If you absolutely can't upgrade, you can work around this risk using a validator to catch these values, brief demo:

from datetime import date from pydantic import BaseModel, validator

class DemoModel(BaseModel): date_of_birth: date

@validator('date_of_birth', pre=True)
def skip_infinite_values(cls, v):
    try:
        seconds = float(v)
    except (ValueError, TypeError):
        return v
    else:
        if seconds == float('inf'):
            return date.max
        elif seconds == float('-inf'):
            return date.min
        else:
            return seconds

Note: this is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic.

If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic. References

This was fixed in commit 7e83fdd.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pydantic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pydantic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pydantic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7"
            },
            {
              "fixed": "1.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-13T18:54:35Z",
    "nvd_published_at": "2021-05-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Impact\n\nPassing either \u0027infinity\u0027, \u0027inf\u0027 or float(\u0027inf\u0027) (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU).\nPatches\n\nPydantic is be patched with fixes available in the following versions:\n\n    v1.8.2\n    v1.7.4\n    v1.6.2\n\nAll these versions are available on pypi, and will be available on conda-forge soon.\n\nSee the changelog for details.\nWorkarounds\n\nIf you absolutely can\u0027t upgrade, you can work around this risk using a validator to catch these values, brief demo:\n\nfrom datetime import date\nfrom pydantic import BaseModel, validator\n\nclass DemoModel(BaseModel):\n    date_of_birth: date\n\n    @validator(\u0027date_of_birth\u0027, pre=True)\n    def skip_infinite_values(cls, v):\n        try:\n            seconds = float(v)\n        except (ValueError, TypeError):\n            return v\n        else:\n            if seconds == float(\u0027inf\u0027):\n                return date.max\n            elif seconds == float(\u0027-inf\u0027):\n                return date.min\n            else:\n                return seconds\n\nNote: this is not an ideal solution (in particular you\u0027ll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic.\n\nIf you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.\nReferences\n\nThis was fixed in commit 7e83fdd.",
  "id": "GHSA-5jqp-qgf6-3pvh",
  "modified": "2026-06-09T13:01:00Z",
  "published": "2021-05-13T20:23:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29510"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pydantic/pydantic/commit/1c24f1d74ba95ea985b50bdc001ce96c813229aa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pydantic/pydantic/commit/80e0dd3f752bef145dce12f160d262bb40ec8d47"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pydantic/pydantic/commit/bdde15b7b947c94ca00fd6eb92da8db390a13520"
    },
    {
      "type": "WEB",
      "url": "https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pydantic/pydantic"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pydantic/PYSEC-2021-47.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S2HT266L6Q7H6ICP7DFGXOGBJHNNKMKB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEFWM7DYKD2ZHE7R5YT5EQWJPV4ZKYRB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMKAJX4O6IGBBCE32CO2G7PZQCCQSBLV"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Use of \"infinity\" as an input to datetime and date fields causes infinite loop in pydantic"
}

GHSA-5M6G-CJGH-P8QJ

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:38
VLAI
Details

In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector has an infinite loop. This was addressed in epan/dissectors/packet-dcm.c by validating a length value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-02T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector has an infinite loop. This was addressed in epan/dissectors/packet-dcm.c by validating a length value.",
  "id": "GHSA-5m6g-cjgh-p8qj",
  "modified": "2025-04-20T03:38:24Z",
  "published": "2022-05-13T01:47:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9349"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1329"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=cb1b6494c44c9e939d9e2554de6b812de395e3f9"
    },
    {
      "type": "WEB",
      "url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cb1b6494c44c9e939d9e2554de6b812de395e3f9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2017-27.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98803"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5M6Q-G25R-MVWX

Vulnerability from github – Published: 2026-03-26 21:57 – Updated: 2026-03-27 21:50
VLAI
Summary
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Details

Summary

A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Affected Package

Package name: node-forge (npm: node-forge) Repository: https://github.com/digitalbazaar/forge Affected versions: All versions (including latest) Affected file: lib/jsbn.js, function bnModInverse() Root cause component: Bundled copy of the jsbn (JavaScript Big Number) library

Vulnerability Details

Type: Denial of Service (DoS) CWE: CWE-835 (Loop with Unreachable Exit Condition) Attack vector: Network (if the application processes untrusted input that reaches modInverse) Privileges required: None User interaction: None Impact: Availability (process hangs indefinitely) Suggested CVSS v3.1 score: 5.3–7.5 (depending on the context of usage)

Root Cause Analysis

The BigInteger.prototype.modInverse(m) function in lib/jsbn.js implements the Extended Euclidean Algorithm to compute the modular multiplicative inverse of this modulo m. Mathematically, the modular inverse of 0 does not exist — gcd(0, m) = m ≠ 1 for any m > 1. However, the implementation does not check whether the input value is zero before entering the algorithm's main loop. When this equals 0, the algorithm's loop condition is never satisfied for termination, resulting in an infinite loop. The relevant code path in lib/jsbn.js:

javascriptfunction bnModInverse(m) {
  // ... setup ...
  // No check for this == 0
  // Enters Extended Euclidean Algorithm loop that never terminates when this == 0
}

Attack Scenario

Any application using node-forge that passes attacker-controlled or untrusted input to a code path involving modInverse() is vulnerable. Potential attack surfaces include:

DSA/ECDSA signature verification — A crafted signature with s = 0 would trigger s.modInverse(q), causing the verifier to hang. Custom RSA or Diffie-Hellman implementations — Applications performing modular arithmetic with user-supplied parameters. Any cryptographic protocol where an attacker can influence a value that is subsequently passed to modInverse().

A single malicious request can cause the Node.js event loop to block indefinitely, rendering the entire application unresponsive.

Proof of Concept

Environment Setup

mkdir forge-poc && cd forge-poc
npm init -y
npm install node-forge

Reproduction (poc.js) A single script that safely detects the vulnerability using a child process with timeout. The parent process is never at risk of hanging.

mkdir forge-poc && cd forge-poc
npm init -y
npm install node-forge
# Save the script below as poc.js, then run:
node poc.js
'use strict';
const { spawnSync } = require('child_process');

const childCode = `
  const forge = require('node-forge');
  // jsbn may not be auto-loaded; try explicit require if needed
  if (!forge.jsbn) {
    try { require('node-forge/lib/jsbn'); } catch(e) {}
  }
  if (!forge.jsbn || !forge.jsbn.BigInteger) {
    console.error('ERROR: forge.jsbn.BigInteger not available');
    process.exit(2);
  }
  const BigInteger = forge.jsbn.BigInteger;
  const zero = new BigInteger('0', 10);
  const mod = new BigInteger('3', 10);
  // This call should throw or return 0, but instead loops forever
  const inv = zero.modInverse(mod);
  console.log('returned: ' + inv.toString());
`;

console.log('[*] Testing: BigInteger(0).modInverse(3)');
console.log('[*] Expected: throw an error or return quickly');
console.log('[*] Spawning child process with 5s timeout...');
console.log();

const result = spawnSync(process.execPath, ['-e', childCode], {
  encoding: 'utf8',
  timeout: 5000,
});

if (result.error && result.error.code === 'ETIMEDOUT') {
  console.log('[VULNERABLE] Child process timed out after 5s');
  console.log('  -> modInverse(0, 3) entered an infinite loop (DoS confirmed)');
  process.exit(0);
}

if (result.status === 2) {
  console.log('[ERROR] Could not access BigInteger:', result.stderr.trim());
  console.log('  -> Check your node-forge installation');
  process.exit(1);
}

if (result.status === 0) {
  console.log('[NOT VULNERABLE] modInverse returned:', result.stdout.trim());
  process.exit(1);
}

console.log('[NOT VULNERABLE] Child exited with error (status ' + result.status + ')');
if (result.stderr) console.log('  stderr:', result.stderr.trim());
process.exit(1);

Expected Output

[*] Testing: BigInteger(0).modInverse(3)
[*] Expected: throw an error or return quickly
[*] Spawning child process with 5s timeout...

[VULNERABLE] Child process timed out after 5s
  -> modInverse(0, 3) entered an infinite loop (DoS confirmed)
Verified On

node-forge v1.3.1 (latest at time of writing) Node.js v18.x / v20.x / v22.x macOS / Linux / Windows

Impact

Availability: An attacker can cause a complete Denial of Service by sending a single crafted input that reaches the modInverse() code path. The Node.js process will hang indefinitely, blocking the event loop and making the application unresponsive to all subsequent requests. Scope: node-forge is a widely used cryptographic library with millions of weekly downloads on npm. Any application that processes untrusted cryptographic parameters through node-forge may be affected.

Suggested Fix

Add a zero-value check at the entry of bnModInverse() in lib/jsbn.js:

function bnModInverse(m) {
  var ac = m.isEven();
  // Add this check:
  if (this.signum() == 0) {
    throw new Error('BigInteger has no modular inverse: input is zero');
  }
  // ... rest of the existing implementation ...
}

Alternatively, return BigInteger.ZERO if that behavior is preferred, though throwing an error is more mathematically correct and consistent with other BigInteger implementations (e.g., Java's BigInteger.modInverse() throws ArithmeticException).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-forge"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T21:57:48Z",
    "nvd_published_at": "2026-03-27T21:17:25Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU.\nAffected Package\n\nPackage name: node-forge (npm: node-forge)\nRepository: https://github.com/digitalbazaar/forge\nAffected versions: All versions (including latest)\nAffected file: lib/jsbn.js, function bnModInverse()\nRoot cause component: Bundled copy of the jsbn (JavaScript Big Number) library\n\n## Vulnerability Details\n\nType: Denial of Service (DoS)\nCWE: CWE-835 (Loop with Unreachable Exit Condition)\nAttack vector: Network (if the application processes untrusted input that reaches modInverse)\nPrivileges required: None\nUser interaction: None\nImpact: Availability (process hangs indefinitely)\nSuggested CVSS v3.1 score: 5.3\u20137.5 (depending on the context of usage)\n\n## Root Cause Analysis\n\nThe BigInteger.prototype.modInverse(m) function in lib/jsbn.js implements the Extended Euclidean Algorithm to compute the modular multiplicative inverse of this modulo m.\nMathematically, the modular inverse of 0 does not exist \u2014 gcd(0, m) = m \u2260 1 for any m \u003e 1. However, the implementation does not check whether the input value is zero before entering the algorithm\u0027s main loop. When this equals 0, the algorithm\u0027s loop condition is never satisfied for termination, resulting in an infinite loop.\nThe relevant code path in lib/jsbn.js:\n```js\njavascriptfunction bnModInverse(m) {\n  // ... setup ...\n  // No check for this == 0\n  // Enters Extended Euclidean Algorithm loop that never terminates when this == 0\n}\n```\n\n## Attack Scenario\n\nAny application using node-forge that passes attacker-controlled or untrusted input to a code path involving modInverse() is vulnerable. Potential attack surfaces include:\n\nDSA/ECDSA signature verification \u2014 A crafted signature with s = 0 would trigger s.modInverse(q), causing the verifier to hang.\nCustom RSA or Diffie-Hellman implementations \u2014 Applications performing modular arithmetic with user-supplied parameters.\nAny cryptographic protocol where an attacker can influence a value that is subsequently passed to modInverse().\n\nA single malicious request can cause the Node.js event loop to block indefinitely, rendering the entire application unresponsive.\n\n## Proof of Concept\n\nEnvironment Setup\n```bash\nmkdir forge-poc \u0026\u0026 cd forge-poc\nnpm init -y\nnpm install node-forge\n```\nReproduction (poc.js)\nA single script that safely detects the vulnerability using a child process with timeout. The parent process is never at risk of hanging.\n```bash\nmkdir forge-poc \u0026\u0026 cd forge-poc\nnpm init -y\nnpm install node-forge\n# Save the script below as poc.js, then run:\nnode poc.js\n```\n```javascript\n\u0027use strict\u0027;\nconst { spawnSync } = require(\u0027child_process\u0027);\n\nconst childCode = `\n  const forge = require(\u0027node-forge\u0027);\n  // jsbn may not be auto-loaded; try explicit require if needed\n  if (!forge.jsbn) {\n    try { require(\u0027node-forge/lib/jsbn\u0027); } catch(e) {}\n  }\n  if (!forge.jsbn || !forge.jsbn.BigInteger) {\n    console.error(\u0027ERROR: forge.jsbn.BigInteger not available\u0027);\n    process.exit(2);\n  }\n  const BigInteger = forge.jsbn.BigInteger;\n  const zero = new BigInteger(\u00270\u0027, 10);\n  const mod = new BigInteger(\u00273\u0027, 10);\n  // This call should throw or return 0, but instead loops forever\n  const inv = zero.modInverse(mod);\n  console.log(\u0027returned: \u0027 + inv.toString());\n`;\n\nconsole.log(\u0027[*] Testing: BigInteger(0).modInverse(3)\u0027);\nconsole.log(\u0027[*] Expected: throw an error or return quickly\u0027);\nconsole.log(\u0027[*] Spawning child process with 5s timeout...\u0027);\nconsole.log();\n\nconst result = spawnSync(process.execPath, [\u0027-e\u0027, childCode], {\n  encoding: \u0027utf8\u0027,\n  timeout: 5000,\n});\n\nif (result.error \u0026\u0026 result.error.code === \u0027ETIMEDOUT\u0027) {\n  console.log(\u0027[VULNERABLE] Child process timed out after 5s\u0027);\n  console.log(\u0027  -\u003e modInverse(0, 3) entered an infinite loop (DoS confirmed)\u0027);\n  process.exit(0);\n}\n\nif (result.status === 2) {\n  console.log(\u0027[ERROR] Could not access BigInteger:\u0027, result.stderr.trim());\n  console.log(\u0027  -\u003e Check your node-forge installation\u0027);\n  process.exit(1);\n}\n\nif (result.status === 0) {\n  console.log(\u0027[NOT VULNERABLE] modInverse returned:\u0027, result.stdout.trim());\n  process.exit(1);\n}\n\nconsole.log(\u0027[NOT VULNERABLE] Child exited with error (status \u0027 + result.status + \u0027)\u0027);\nif (result.stderr) console.log(\u0027  stderr:\u0027, result.stderr.trim());\nprocess.exit(1);\n```\nExpected Output\n```\n[*] Testing: BigInteger(0).modInverse(3)\n[*] Expected: throw an error or return quickly\n[*] Spawning child process with 5s timeout...\n\n[VULNERABLE] Child process timed out after 5s\n  -\u003e modInverse(0, 3) entered an infinite loop (DoS confirmed)\nVerified On\n```\n\nnode-forge v1.3.1 (latest at time of writing)\nNode.js v18.x / v20.x / v22.x\nmacOS / Linux / Windows\n\n## Impact\n\nAvailability: An attacker can cause a complete Denial of Service by sending a single crafted input that reaches the modInverse() code path. The Node.js process will hang indefinitely, blocking the event loop and making the application unresponsive to all subsequent requests.\nScope: node-forge is a widely used cryptographic library with millions of weekly downloads on npm. Any application that processes untrusted cryptographic parameters through node-forge may be affected.\n\n## Suggested Fix\n\nAdd a zero-value check at the entry of bnModInverse() in lib/jsbn.js:\n```javascript\nfunction bnModInverse(m) {\n  var ac = m.isEven();\n  // Add this check:\n  if (this.signum() == 0) {\n    throw new Error(\u0027BigInteger has no modular inverse: input is zero\u0027);\n  }\n  // ... rest of the existing implementation ...\n}\n```\nAlternatively, return BigInteger.ZERO if that behavior is preferred, though throwing an error is more mathematically correct and consistent with other BigInteger implementations (e.g., Java\u0027s BigInteger.modInverse() throws ArithmeticException).",
  "id": "GHSA-5m6q-g25r-mvwx",
  "modified": "2026-03-27T21:50:24Z",
  "published": "2026-03-26T21:57:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/digitalbazaar/forge/commit/9bb8d67b99d17e4ebb5fd7596cd699e11f25d023"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalbazaar/forge"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input"
}

GHSA-5M98-QGG9-WH84

Vulnerability from github – Published: 2024-05-03 17:29 – Updated: 2025-11-03 22:46
VLAI
Summary
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
Details

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.


For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@@ -338,6 +338,8 @@ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk

     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aiohttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-30251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-03T17:29:54Z",
    "nvd_published_at": "2024-05-02T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.\n\n### Impact\nAn attacker can stop the application from serving requests after sending a single request.\n\n-------\n\nFor anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in `_read_chunk_from_length()`):\n\n```diff\ndiff --git a/aiohttp/multipart.py b/aiohttp/multipart.py\nindex 227be605c..71fc2654a 100644\n--- a/aiohttp/multipart.py\n+++ b/aiohttp/multipart.py\n@@ -338,6 +338,8 @@ class BodyPartReader:\n         assert self._length is not None, \"Content-Length required for chunked read\"\n         chunk_size = min(size, self._length - self._read_bytes)\n         chunk = await self._content.read(chunk_size)\n+        if self._content.at_eof():\n+            self._at_eof = True\n         return chunk\n \n     async def _read_chunk_from_stream(self, size: int) -\u003e bytes:\n```\n\nThis does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:\nhttps://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19\nhttps://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597\nhttps://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866",
  "id": "GHSA-5m98-qgg9-wh84",
  "modified": "2025-11-03T22:46:13Z",
  "published": "2024-05-03T17:29:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aio-libs/aiohttp"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/05/02/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.