CWE-674
Allowed-with-ReviewUncontrolled Recursion
Abstraction: Class · Status: Draft
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
616 vulnerabilities reference this CWE, most recent first.
GHSA-WJWR-9F4Q-Q8H8
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-05-24 16:56In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.
{
"affected": [],
"aliases": [
"CVE-2019-11779"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more \u0027/\u0027 characters, i.e. the topic hierarchy separator, then a stack overflow will occur.",
"id": "GHSA-wjwr-9f4q-q8h8",
"modified": "2022-05-24T16:56:28Z",
"published": "2022-05-24T16:56:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11779"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=551160"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4WMHIM64Q35NGTR6R3ILZUL4MA4ANB5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFWQBNFTAVHPUYNGYO2TCPF5PCSWC2Z7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWNVTFA2CKXERXRYPYE2YFTZP4GNBGYY"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Nov/25"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4137-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4570"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00077.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WMHF-FQC8-VXHH
Vulnerability from github – Published: 2026-05-19 20:10 – Updated: 2026-07-06 22:53Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.
Credit
Ori Nakar from Imperva Threat Research Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sqlfluff"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46373"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T20:10:17Z",
"nvd_published_at": "2026-06-09T23:16:59Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.\n\n### Patches\n\nVersions 4.1.0 and up contain a configurable recursion limit, which is enabled by default, to prevent this manner of exploit.\n\n### Credit\n\nOri Nakar from Imperva Threat Research Team.",
"id": "GHSA-wmhf-fqc8-vxhh",
"modified": "2026-07-06T22:53:18Z",
"published": "2026-05-19T20:10:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-wmhf-fqc8-vxhh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46373"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/sqlfluff/PYSEC-2026-209.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sqlfluff/sqlfluff"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SQLFluff: Recursive Stack Overflow in Parser"
}
GHSA-WQH3-2WQG-RQ54
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
{
"affected": [],
"aliases": [
"CVE-2019-9904"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T18:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in lib\\cdt\\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\\cgraph\\graph.c in libcgraph.a, related to agfstsubg in lib\\cgraph\\subg.c.",
"id": "GHSA-wqh3-2wqg-rq54",
"modified": "2022-05-13T01:08:56Z",
"published": "2022-05-13T01:08:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9904"
},
{
"type": "WEB",
"url": "https://gitlab.com/graphviz/graphviz/issues/1512"
},
{
"type": "WEB",
"url": "https://research.loginsoft.com/bugs/stack-buffer-overflow-in-function-agclose-graphviz"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WR8R-279J-G4XP
Vulnerability from github – Published: 2025-10-12 15:30 – Updated: 2025-10-12 15:30IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.
{
"affected": [],
"aliases": [
"CVE-2025-33096"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-12T14:15:36Z",
"severity": "MODERATE"
},
"details": "IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user to cause a denial of service by uploading specially crafted files using uncontrolled recursion.",
"id": "GHSA-wr8r-279j-g4xp",
"modified": "2025-10-12T15:30:16Z",
"published": "2025-10-12T15:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33096"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7247716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVRR-4W4F-3V54
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
{
"affected": [],
"aliases": [
"CVE-2026-9740"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T23:17:03Z",
"severity": "HIGH"
},
"details": "A vulnerability in MongoDB Server\u0027s BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator\u0027s handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.",
"id": "GHSA-wvrr-4w4f-3v54",
"modified": "2026-06-10T00:31:50Z",
"published": "2026-06-10T00:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9740"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-125063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WVXW-Q92G-9GHF
Vulnerability from github – Published: 2026-06-04 18:30 – Updated: 2026-06-04 21:31Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.
The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.
If the argument was not a well-formed IP address, then this would lead to indefinite recursion.
An attacker could use this to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-49941"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T17:16:33Z",
"severity": "HIGH"
},
"details": "Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses.\n\nThe add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask.\n\nIf the argument was not a well-formed IP address, then this would lead to indefinite recursion.\n\nAn attacker could use this to cause a denial of service.",
"id": "GHSA-wvxw-q92g-9ghf",
"modified": "2026-06-04T21:31:21Z",
"published": "2026-06-04T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49941"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/04/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WW3G-X39P-R2PW
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.
{
"affected": [],
"aliases": [
"CVE-2019-0001"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-15T21:29:00Z",
"severity": "HIGH"
},
"details": "Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2.",
"id": "GHSA-ww3g-x39p-r2pw",
"modified": "2022-05-13T01:12:22Z",
"published": "2022-05-13T01:12:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0001"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10900"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RMKFSHPMOZL7MDWU5RYOTIBTRWSZ4Z6X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7CPKBW4QZ4VIY4UXIUVUSHRJ4R2FROE"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106541"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WX32-7CG6-9X4F
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-12-21 15:30A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among PdfTokenizer::ReadArray(), PdfTokenizer::GetNextVariant() and PdfTokenizer::ReadDataType() functions can lead to a stack overflow.
{
"affected": [],
"aliases": [
"CVE-2021-30470"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-26T22:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among PdfTokenizer::ReadArray(), PdfTokenizer::GetNextVariant() and PdfTokenizer::ReadDataType() functions can lead to a stack overflow.",
"id": "GHSA-wx32-7cg6-9x4f",
"modified": "2022-12-21T15:30:16Z",
"published": "2022-05-24T19:03:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30470"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947436"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X23X-4P2X-538Q
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:08An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.
{
"affected": [],
"aliases": [
"CVE-2022-48545"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:31Z",
"severity": "MODERATE"
},
"details": "An infinite recursion in Catalog::findDestInTree can cause denial of service for xpdf 4.02.",
"id": "GHSA-x23x-4p2x-538q",
"modified": "2024-04-04T07:08:14Z",
"published": "2023-08-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48545"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42092"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X27M-9W8J-5VCW
Vulnerability from github – Published: 2022-09-17 00:00 – Updated: 2023-01-02 21:50Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.jettison:jettison"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-40150"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-20T21:20:42Z",
"nvd_published_at": "2022-09-16T10:15:00Z",
"severity": "HIGH"
},
"details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.",
"id": "GHSA-x27m-9w8j-5vcw",
"modified": "2023-01-02T21:50:43Z",
"published": "2022-09-17T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"type": "WEB",
"url": "https://github.com/jettison-json/jettison/issues/45"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549"
},
{
"type": "PACKAGE",
"url": "https://github.com/jettison-json/jettison"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5312"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jettison memory exhaustion"
}
Mitigation
Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Mitigation
Increase the stack size.
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.