Common Weakness Enumeration

CWE-674

Allowed-with-Review

Uncontrolled Recursion

Abstraction: Class · Status: Draft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

616 vulnerabilities reference this CWE, most recent first.

GHSA-VHR5-G3PM-49FM

Vulnerability from github – Published: 2024-08-20 18:35 – Updated: 2024-08-20 18:35
VLAI
Summary
matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor
Details

Impact

A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.

Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L) we classify this as High severity issue.

Patches

This was patched in matrix-js-sdk 34.3.1.

Workarounds

Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either getRoomUpgradeHistory or leaveRoomChain.

References

N/A.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "matrix-js-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "34.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-42369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-20T18:35:27Z",
    "nvd_published_at": "2024-08-20T15:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk\u0027s `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the \u0027leaveRoomChain()\u0027 method, so leaving a room will also trigger the bug.\n\nEven if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L\u0026version=3.1)) we classify this as High severity issue.\n\n### Patches\nThis was patched in matrix-js-sdk 34.3.1.\n\n### Workarounds\nSanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`.\n\n### References\nN/A.\n",
  "id": "GHSA-vhr5-g3pm-49fm",
  "modified": "2024-08-20T18:35:28Z",
  "published": "2024-08-20T18:35:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/matrix-js-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor"
}

GHSA-VJJ7-39VR-35R3

Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2026-03-06 18:31
VLAI
Details

Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30630"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-10T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.",
  "id": "GHSA-vjj7-39vr-35r3",
  "modified": "2026-03-06T18:31:09Z",
  "published": "2022-08-11T00:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30630"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/cl/417065"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/53415"
    },
    {
      "type": "WEB",
      "url": "https://go.googlesource.com/go/+/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0527"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VPPJ-Q42F-96W5

Vulnerability from github – Published: 2022-05-19 00:00 – Updated: 2022-05-27 00:01
VLAI
Details

Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-18T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
  "id": "GHSA-vppj-q42f-96w5",
  "modified": "2022-05-27T00:01:12Z",
  "published": "2022-05-19T00:00:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1771"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vim/vim/commit/51f0bfb88a3554ca2dde777d78a59880d1ee37a8"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/faa74175-5317-4b71-a363-dfc39094ecbb"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-32"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VR34-263X-7Q3R

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02
VLAI
Details

A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-20T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A stack overflow in libyang \u003c= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.",
  "id": "GHSA-vr34-263x-7q3r",
  "modified": "2022-05-24T19:02:50Z",
  "published": "2022-05-24T19:02:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28903"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CESNET/libyang/issues/1453"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-54"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VRM3-V8W6-8742

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The issue is a stack exhaustion problem within the JavaScript API, where the computation does not correctly control the amount of recursion that can happen with respect to system resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-09T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The issue is a stack exhaustion problem within the JavaScript API, where the computation does not correctly control the amount of recursion that can happen with respect to system resources.",
  "id": "GHSA-vrm3-v8w6-8742",
  "modified": "2022-05-13T01:44:05Z",
  "published": "2022-05-13T01:44:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16419"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb17-36.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101817"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039791"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVX9-XFCG-G62V

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-06-01 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered.

Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:30Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()\n\ntarget_tg_pt_gp_members_show() formats LUN paths with snprintf() into a\n256-byte stack buffer, then will memcpy() cur_len bytes from that\nbuffer.  snprintf() returns the length the output would have had, which\ncan exceed the buffer size when the fabric WWN is long because iSCSI IQN\nnames can be up to 223 bytes.  The check at the memcpy() site only\nguards the destination page write, not the source read, so memcpy() will\nread past the stack buffer and copy adjacent stack contents to the sysfs\nreader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic()\nwill be triggered.\n\nCommit 27e06650a5ea (\"scsi: target: target_core_configfs: Add length\ncheck to avoid buffer overflow\") added the same bound to the\ntarget_lu_gp_members_show() but the tg_pt_gp variant was missed so\nresolve that here.",
  "id": "GHSA-vvx9-xfcg-g62v",
  "modified": "2026-06-01T18:31:38Z",
  "published": "2026-05-28T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46149"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/00d91bfdce5033f5d9b4915638ae9b0553848b5d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/12f2201a56957ba020392223a7393a5eba080c1b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f678d13e939f91840cb1ebe9b88544923539d3c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72cc5ea7ef32bb5fa38bf0dd2e56fcd73aa8c89e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/772a896a56e0e3ef9424a025cec9176f9d8f4552"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3cc9d490c207d57a289054397349f6f8c90354e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db0a4759d62cad4ff891e2d81ae4be73bb57f4a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e501154f9d82c95d2719bcbbaf679d8fd3226ef7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W239-58X2-Q8P5

Vulnerability from github – Published: 2026-05-07 02:07 – Updated: 2026-06-08 23:47
VLAI
Summary
go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth
Details

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic).

For DAG-CBOR, a payload of approximately 2 MB, consisting of repeated 0x81 (array-of-1) bytes followed by a terminator, produces around 2 million recursion frames and reliably exhausts Go's default 1 GB goroutine stack. The existing allocation budget does not prevent this: each nested collection header costs only a handful of budget units, so the stack is exhausted before the budget is. DAG-JSON has equivalent exposure via [[[...]]]-style payloads; it has no budget system and is therefore unprotected against recursion depth as well.

Schema-free decoding (using basicnode.Prototype.Any) allows arbitrary nesting depth. Schema-bound decoding bounds nesting only when the schema itself is non-recursive and contains no fields typed as Any; schemas with recursive type references or any Any-typed fields permit unconstrained nesting at those points.

The fix adds a configurable MaxDepth option to both decoders, defaulting to 1024 nested levels. The decoder returns ErrDecodeDepthExceeded when a payload nests beyond the limit. Well-formed IPLD data rarely approaches this depth in practice; the default is generous for legitimate use while preventing stack exhaustion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ipld/go-ipld-prime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T02:07:21Z",
    "nvd_published_at": "2026-05-27T18:16:22Z",
    "severity": "MODERATE"
  },
  "details": "The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic).\n\nFor DAG-CBOR, a payload of approximately 2 MB, consisting of repeated `0x81` (array-of-1) bytes followed by a terminator, produces around 2 million recursion frames and reliably exhausts Go\u0027s default 1 GB goroutine stack. The existing allocation budget does not prevent this: each nested collection header costs only a handful of budget units, so the stack is exhausted before the budget is. DAG-JSON has equivalent exposure via `[[[...]]]`-style payloads; it has no budget system and is therefore unprotected against recursion depth as well.\n\nSchema-free decoding (using `basicnode.Prototype.Any`) allows arbitrary nesting depth. Schema-bound decoding bounds nesting only when the schema itself is non-recursive and contains no fields typed as `Any`; schemas with recursive type references or any `Any`-typed fields permit unconstrained nesting at those points.\n\nThe fix adds a configurable `MaxDepth` option to both decoders, defaulting to 1024 nested levels. The decoder returns `ErrDecodeDepthExceeded` when a payload nests beyond the limit. Well-formed IPLD data rarely approaches this depth in practice; the default is generous for legitimate use while preventing stack exhaustion.",
  "id": "GHSA-w239-58x2-q8p5",
  "modified": "2026-06-08T23:47:37Z",
  "published": "2026-05-07T02:07:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ipld/go-ipld-prime/security/advisories/GHSA-w239-58x2-q8p5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42328"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ipld/go-ipld-prime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "go-ipld-prime\u0027s DAG-CBOR and DAG-JSON decoders have unbounded recursion depth"
}

GHSA-W2GJ-35CX-6H66

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause core dump.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-28T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A component of the HarmonyOS has a External Control of System or Configuration Setting vulnerability. Local attackers may exploit this vulnerability to cause core dump.",
  "id": "GHSA-w2gj-35cx-6h66",
  "modified": "2022-05-24T19:19:09Z",
  "published": "2022-05-24T19:19:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22454"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202107-0000001123874808"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W2PR-2387-VXGH

Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18
VLAI
Details

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. This is triggered by random subdomains in the NSDNAME in NS records.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-19T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an \"NXNSAttack\" issue. This is triggered by random subdomains in the NSDNAME in NS records.",
  "id": "GHSA-w2pr-2387-vxgh",
  "modified": "2022-05-24T17:18:07Z",
  "published": "2022-05-24T17:18:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12662"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F5NFROI2OMCZLYRTCNGHGO3TUD32LCIQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJ42N2HBZ3DXMSEC56SWIIOFQGOS5M7I"
    },
    {
      "type": "WEB",
      "url": "https://nlnetlabs.nl/downloads/unbound/CVE-2020-12662_2020-12663.txt"
    },
    {
      "type": "WEB",
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:19.unbound.asc"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200702-0006"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4374-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4694"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/security/advisory/Synology_SA_20_12"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00067.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00069.html"
    },
    {
      "type": "WEB",
      "url": "http://www.nxnsattack.com"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/05/19/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W3VF-7FPC-9FWW

Vulnerability from github – Published: 2021-12-08 00:00 – Updated: 2025-07-03 21:31
VLAI
Details

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-07T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.",
  "id": "GHSA-w3vf-7fpc-9fww",
  "modified": "2025-07-03T21:31:20Z",
  "published": "2021-12-08T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42717"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5023"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Mitigation
Implementation

Increase the stack size.

CAPEC-230: Serialized Data with Nested Payloads

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.

CAPEC-231: Oversized Serialized Data Payloads

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.