Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-PQ8H-22GG-VPMW

Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-10-29 12:00
VLAI
Details

In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-12T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Dovecot before 2.3.11.3, uncontrolled recursion in submission, lmtp, and lda allows remote attackers to cause a denial of service (resource consumption) via a crafted e-mail message with deeply nested MIME parts.",
  "id": "GHSA-pq8h-22gg-vpmw",
  "modified": "2022-10-29T12:00:36Z",
  "published": "2022-05-24T17:25:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12100"
    },
    {
      "type": "WEB",
      "url": "https://dovecot.org/security"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AAX2MJEULPVSRZOBX3PNPFSYP4FM4TT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EYZU6CHA3VMYYAUCMHSCCQKJEVEIKPQ2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XKKAL3OMG76ZZ7CIEMQP2K6KCTD2RAKE"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202009-02"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4456-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4456-2"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4745"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Jan/18"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/08/12/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/01/04/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQHP-25J4-6HQ9

Vulnerability from github – Published: 2024-11-22 20:40 – Updated: 2024-11-22 20:40
VLAI
Summary
smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables
Details

Summary

An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.

The library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.

Proof of concept

require("smol-toml").parse("e=" + "{e=".repeat(9999) + "{}" + "}".repeat(9999))

Impact

Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors.

Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.

As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.

Patches

Version 1.3.1 offers a mechanism to limit the exploration depth before halting with a TomlError when parsing, with a default cap of 1000. A same mechanism has been implemented for stringifying objects.

Please note that the parser will still throw an error upon such cases. It is, however, a now-controlled and documented behavior of the library.

Workarounds

Wrap all invocations of parse and stringify in a try/catch block.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.3.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "smol-toml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-22T20:40:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inline structure. A similar problem occurs when attempting to stringify deeply nested objects.\n\nThe library does not limit the maximum exploration depth while parsing or producing TOML documents, nor does it offer a way to do so.\n\n### Proof of concept\n```js\nrequire(\"smol-toml\").parse(\"e=\" + \"{e=\".repeat(9999) + \"{}\" + \"}\".repeat(9999))\n```\n\n### Impact\nApplications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input and therefore to properly handle errors.\n\nDue to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.\n\nAs a reminder, it is **strongly** advised when working with untrusted user input to expect errors to occur and to appropriately catch them.\n\n### Patches\nVersion 1.3.1 offers a mechanism to limit the exploration depth before halting with a `TomlError` when parsing, with a default cap of 1000. A same mechanism has been implemented for stringifying objects.\n\n**Please note that the parser will *still* throw an error upon such cases.** It is, however, a now-controlled and documented behavior of the library.\n\n### Workarounds\nWrap all invocations of `parse` and `stringify` in a try/catch block.",
  "id": "GHSA-pqhp-25j4-6hq9",
  "modified": "2024-11-22T20:40:49Z",
  "published": "2024-11-22T20:40:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/squirrelchat/smol-toml/security/advisories/GHSA-pqhp-25j4-6hq9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/squirrelchat/smol-toml/commit/405108ba090f0fc78f99aa2f0d6721e499b0ff27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/squirrelchat/smol-toml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables"
}

GHSA-PVVG-CG5R-2Q8V

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-25T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Exiv2 0.27. There is infinite recursion at Exiv2::Image::printTiffStructure in the file image.cpp. This can be triggered by a crafted file. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.",
  "id": "GHSA-pvvg-cg5r-2q8v",
  "modified": "2022-05-13T01:23:02Z",
  "published": "2022-05-13T01:23:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Exiv2/exiv2/issues/711"
    },
    {
      "type": "WEB",
      "url": "https://research.loginsoft.com/bugs/uncontrolled-recursion-loop-in-exiv2imageprinttiffstructure-exiv2-0-27"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107161"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWF9-Q62P-V7WC

Vulnerability from github – Published: 2025-03-16 06:30 – Updated: 2025-03-18 21:06
VLAI
Summary
Wire has Uncontrolled Recursion on Nested Groups
Details

Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.squareup.wire:wire-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-58103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-18T21:06:13Z",
    "nvd_published_at": "2025-03-16T04:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.",
  "id": "GHSA-pwf9-q62p-v7wc",
  "modified": "2025-03-18T21:06:13Z",
  "published": "2025-03-16T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/square/wire/commit/b90e60c09befaff836a2fc2ee4d678451b2ec75d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/square/wire"
    },
    {
      "type": "WEB",
      "url": "https://github.com/square/wire/compare/5.1.0...5.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Wire has Uncontrolled Recursion on Nested Groups"
}

GHSA-PWR2-4V36-6QPR

Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-02-26 22:06
VLAI
Summary
orjson does not limit recursion for deeply nested JSON documents
Details

orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "orjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-26T21:31:06Z",
    "nvd_published_at": "2024-02-26T16:28:00Z",
    "severity": "HIGH"
  },
  "details": "orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.",
  "id": "GHSA-pwr2-4v36-6qpr",
  "modified": "2024-02-26T22:06:16Z",
  "published": "2024-02-26T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27454"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ijl/orjson/issues/458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ijl/orjson/commit/b0e4d2c06ce06c6e63981bf0276e4b7c74e5845e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ijl/orjson"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ijl/orjson/blob/master/CHANGELOG.md#3915"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/orjson/PYSEC-2024-40.yaml"
    },
    {
      "type": "WEB",
      "url": "https://monicz.dev/CVE-2024-27454"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "orjson does not limit recursion for deeply nested JSON documents"
}

GHSA-Q2RR-FHP3-V3J2

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2022-05-24 17:00
VLAI
Details

An exploitable denial-of-service vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. When parsing labels in mDNS packets, the firewall unsafely handles label compression pointers, leading to an uncontrolled recursion that eventually exhausts the stack, crashing the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-31T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable denial-of-service vulnerability exists in the mdnscap binary of the CUJO Smart Firewall running firmware 7003. When parsing labels in mDNS packets, the firewall unsafely handles label compression pointers, leading to an uncontrolled recursion that eventually exhausts the stack, crashing the mdnscap process. An unauthenticated attacker can send an mDNS message to trigger this vulnerability.",
  "id": "GHSA-q2rr-fhp3-v3j2",
  "modified": "2022-05-24T17:00:08Z",
  "published": "2022-05-24T17:00:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4002"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0671"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q4QJ-V923-5HMH

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows stack consumption via recursive function calls during the handling of XFA forms or link objects.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-11T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Foxit Reader and PhantomPDF before 10.1.4. It allows stack consumption via recursive function calls during the handling of XFA forms or link objects.",
  "id": "GHSA-q4qj-v923-5hmh",
  "modified": "2022-05-24T19:11:01Z",
  "published": "2022-05-24T19:11:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38569"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q5GR-H5MJ-HP63

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2024-08-15 15:30
VLAI
Details

An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-06T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.",
  "id": "GHSA-q5gr-h5mj-hp63",
  "modified": "2024-08-15T15:30:52Z",
  "published": "2022-05-24T17:33:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28242"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB"
    },
    {
      "type": "WEB",
      "url": "http://downloads.asterisk.org/pub/security/AST-2020-002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6G2-G7F3-RR83

Vulnerability from github – Published: 2023-03-22 06:30 – Updated: 2023-03-30 01:01
VLAI
Summary
Jettison vulnerable to infinite recursion
Details

An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codehaus.jettison:jettison"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1436"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-22T21:23:09Z",
    "nvd_published_at": "2023-03-22T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.",
  "id": "GHSA-q6g2-g7f3-rr83",
  "modified": "2023-03-30T01:01:25Z",
  "published": "2023-03-22T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jettison-json/jettison/issues/60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jettison-json/jettison/pull/62"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jettison-json/jettison"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.4"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jettison vulnerable to infinite recursion"
}

GHSA-Q729-696Q-G9PQ

Vulnerability from github – Published: 2026-07-01 20:03 – Updated: 2026-07-01 20:03
VLAI
Summary
SurrealDB has Denial of Service in JSON parser due to nested objects
Details

The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested {, [, or ( tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket /rpc endpoint and exhaust server memory, crashing the process.

This is an incomplete fix for GHSA-6r8p-hpg7-825g, which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.

Impact

An unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.

Patches

A patch enforces the configured recursion depth limit in parse_value and parse_json, bringing them in line with the rest of the parser.

  • Versions 3.1.0 and later are not affected by this issue.

Workarounds

Restrict network access to the WebSocket /rpc endpoint to trusted clients.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T20:03:33Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The SurrealDB value and JSON parser did not enforce the configured recursion depth limit when parsing nested `{`, `[`, or `(` tokens. The expression parser already enforced the limit for these tokens; the value/JSON parser omitted it. An unauthenticated attacker could send a deeply nested JSON payload to the WebSocket `/rpc` endpoint and exhaust server memory, crashing the process.\n\nThis is an incomplete fix for [GHSA-6r8p-hpg7-825g](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-6r8p-hpg7-825g), which addressed the same class of bug in the expression parser but did not cover the value/JSON parser code path.\n\n### Impact\n\nAn unauthenticated remote attacker can crash a SurrealDB server with a single WebSocket message. No credentials or query execution privileges are required.\n\n### Patches\n\nA patch enforces the configured recursion depth limit in `parse_value` and `parse_json`, bringing them in line with the rest of the parser.\n\n- Versions 3.1.0 and later are not affected by this issue.\n\n### Workarounds\n\nRestrict network access to the WebSocket `/rpc` endpoint to trusted clients.",
  "id": "GHSA-q729-696q-g9pq",
  "modified": "2026-07-01T20:03:33Z",
  "published": "2026-07-01T20:03:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-q729-696q-g9pq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/commit/1bd9826f477f4089134460dc5574b6f4e6916973"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB has Denial of Service in JSON parser due to nested objects"
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.