CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-PQ8H-22GG-VPMW
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-10-29 12:00In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.
{
"affected": [],
"aliases": [
"CVE-2020-12100"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-12T16:15:00Z",
"severity": "MODERATE"
},
"details": "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.",
"id": "GHSA-pq8h-22gg-vpmw",
"modified": "2022-10-29T12:00:36Z",
"published": "2022-05-24T17:25:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12100"
},
{
"type": "WEB",
"url": "https://dovecot.org/security"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202009-02"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4456-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4456-2"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4745"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/Jan/18"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQHP-25J4-6HQ9
Vulnerability from github – Published: 2024-11-22 20:40 – Updated: 2024-11-22 20:40Summary
An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.
The library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.
Proof of concept
require("smol-toml").parse("e=" + "{e=".repeat(9999) + "{}" + "}".repeat(9999))
Impact
Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors.
Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.
As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.
Patches
Version 1.3.1 offers a mechanism to limit the exploration depth before halting with a TomlError when parsing, with a default cap of 1000. A same mechanism has been implemented for stringifying objects.
Please note that the parser will still throw an error upon such cases. It is, however, a now-controlled and documented behavior of the library.
Workarounds
Wrap all invocations of parse and stringify in a try/catch block.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.3.0"
},
"package": {
"ecosystem": "npm",
"name": "smol-toml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-22T20:40:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nAn attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.\n\nThe library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.\n\n### Proof of concept\n```js\nrequire(\"smol-toml\").parse(\"e=\" + \"{e=\".repeat(9999) + \"{}\" + \"}\".repeat(9999))\n```\n\n### Impact\nApplications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors.\n\nDue to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.\n\nAs a reminder, it is **strongly** advised when working with untrusted user input to expect errors to occur and to appropriately catch them.\n\n### Patches\nVersion 1.3.1 offers a mechanism to limit the exploration depth before halting with a `TomlError` when parsing, with a default cap of 1000. A same mechanism has been implemented for stringifying objects.\n\n**Please note that the parser will *still* throw an error upon such cases.** It is, however, a now-controlled and documented behavior of the library.\n\n### Workarounds\nWrap all invocations of `parse` and `stringify` in a try/catch block.",
"id": "GHSA-pqhp-25j4-6hq9",
"modified": "2024-11-22T20:40:49Z",
"published": "2024-11-22T20:40:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/squirrelchat/smol-toml/security/advisories/GHSA-pqhp-25j4-6hq9"
},
{
"type": "WEB",
"url": "https://github.com/squirrelchat/smol-toml/commit/405108ba090f0fc78f99aa2f0d6721e499b0ff27"
},
{
"type": "PACKAGE",
"url": "https://github.com/squirrelchat/smol-toml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables"
}
GHSA-PVVG-CG5R-2Q8V
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2019-9143"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-25T15:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.",
"id": "GHSA-pvvg-cg5r-2q8v",
"modified": "2022-05-13T01:23:02Z",
"published": "2022-05-13T01:23:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9143"
},
{
"type": "WEB",
"url": "https://github.com/Exiv2/exiv2/issues/711"
},
{
"type": "WEB",
"url": "https://research.loginsoft.com/bugs/uncontrolled-recursion-loop-in-exiv2imageprinttiffstructure-exiv2-0-27"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107161"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWF9-Q62P-V7WC
Vulnerability from github – Published: 2025-03-16 06:30 – Updated: 2025-03-18 21:06Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.squareup.wire:wire-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-58103"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-18T21:06:13Z",
"nvd_published_at": "2025-03-16T04:15:12Z",
"severity": "MODERATE"
},
"details": "Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.",
"id": "GHSA-pwf9-q62p-v7wc",
"modified": "2025-03-18T21:06:13Z",
"published": "2025-03-16T06:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58103"
},
{
"type": "WEB",
"url": "https://github.com/square/wire/commit/b90e60c09befaff836a2fc2ee4d678451b2ec75d"
},
{
"type": "PACKAGE",
"url": "https://github.com/square/wire"
},
{
"type": "WEB",
"url": "https://github.com/square/wire/compare/5.1.0...5.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Wire has Uncontrolled Recursion on Nested Groups"
}
GHSA-PWR2-4V36-6QPR
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 22:06orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "orjson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27454"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-26T21:31:06Z",
"nvd_published_at": "2024-02-26T16:28:00Z",
"severity": "HIGH"
},
"details": "orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.",
"id": "GHSA-pwr2-4v36-6qpr",
"modified": "2024-02-26T22:06:16Z",
"published": "2024-02-26T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27454"
},
{
"type": "WEB",
"url": "https://github.com/ijl/orjson/issues/458"
},
{
"type": "WEB",
"url": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e"
},
{
"type": "PACKAGE",
"url": "https://github.com/ijl/orjson"
},
{
"type": "WEB",
"url": "https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/orjson/PYSEC-2024-40.yaml"
},
{
"type": "WEB",
"url": "https://monicz.dev/CVE-2024-27454"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "orjson does not limit recursion for deeply nested JSON documents"
}
GHSA-Q2RR-FHP3-V3J2
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00An exploitable denial-of-service vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. When parsing labels in mDNS packets, the firewall unsafely handles label compression pointers, leading to an uncontrolled recursion that eventually exhausts the stack, crashing the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-4002"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-31T21:15:00Z",
"severity": "HIGH"
},
"details": "An exploitable denial-of-service vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. When parsing labels in mDNS packets, the firewall unsafely handles label compression pointers, leading to an uncontrolled recursion that eventually exhausts the stack, crashing the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.",
"id": "GHSA-q2rr-fhp3-v3j2",
"modified": "2022-05-24T17:00:08Z",
"published": "2022-05-24T17:00:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4002"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0671"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q4QJ-V923-5HMH
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows stack consumption via recursive function calls during the handling of XFA forms or link objects.
{
"affected": [],
"aliases": [
"CVE-2021-38569"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T22:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows stack consumption via recursive function calls during the handling of XFA forms or link objects.",
"id": "GHSA-q4qj-v923-5hmh",
"modified": "2022-05-24T19:11:01Z",
"published": "2022-05-24T19:11:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38569"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q5GR-H5MJ-HP63
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2024-08-15 15:30An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.
{
"affected": [],
"aliases": [
"CVE-2020-28242"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-06T06:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.",
"id": "GHSA-q5gr-h5mj-hp63",
"modified": "2024-08-15T15:30:52Z",
"published": "2022-05-24T17:33:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28242"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB"
},
{
"type": "WEB",
"url": "http://downloads.asterisk.org/pub/security/AST-2020-002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q6G2-G7F3-RR83
Vulnerability from github – Published: 2023-03-22 06:30 – Updated: 2023-03-30 01:01An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.jettison:jettison"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1436"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-22T21:23:09Z",
"nvd_published_at": "2023-03-22T06:15:00Z",
"severity": "HIGH"
},
"details": "An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.",
"id": "GHSA-q6g2-g7f3-rr83",
"modified": "2023-03-30T01:01:25Z",
"published": "2023-03-22T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436"
},
{
"type": "WEB",
"url": "https://github.com/jettison-json/jettison/issues/60"
},
{
"type": "WEB",
"url": "https://github.com/jettison-json/jettison/pull/62"
},
{
"type": "PACKAGE",
"url": "https://github.com/jettison-json/jettison"
},
{
"type": "WEB",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.4"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jettison vulnerable to infinite recursion"
}
GHSA-Q729-696Q-G9PQ
Vulnerability from github – Published: 2026-07-01 20:03 – Updated: 2026-07-01 20:03The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested {, [, or ( tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket /rpc endpoint and exhaust server memory, crashing the process.
This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.
Impact
An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.
Patches
A patch enforces the configured recursion depth limit in parse_value and parse_json, bringing them in line with the rest of the parser.
- Versions 3.1.0 and later are not affected by this issue.
Workarounds
Restrict network access to the WebSocket /rpc endpoint to trusted clients.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "surrealdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T20:03:33Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested `{`, `[`, or `(` tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket `/rpc` endpoint and exhaust server memory, crashing the process.\n\nThis is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.\n\n### Impact\n\nAn unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.\n\n### Patches\n\nA patch enforces the configured recursion depth limit in `parse_value` and `parse_json`, bringing them in line with the rest of the parser.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nRestrict network access to the WebSocket `/rpc` endpoint to trusted clients.",
"id": "GHSA-q729-696q-g9pq",
"modified": "2026-07-01T20:03:33Z",
"published": "2026-07-01T20:03:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-q729-696q-g9pq"
},
{
"type": "WEB",
"url": "https://github.com/surrealdb/surrealdb/commit/1bd9826f477f4089134460dc5574b6f4e6916973"
},
{
"type": "PACKAGE",
"url": "https://github.com/surrealdb/surrealdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SurrealDB has Denial of Service in JSON parser due to nested objects"
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.