CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1057 vulnerabilities reference this CWE, most recent first.
GHSA-JJ2V-P4VP-X632
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:59imagemagick 6.8.9.6 has remote DOS via infinite loop
{
"affected": [],
"aliases": [
"CVE-2014-8561"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-15T22:15:00Z",
"severity": "MODERATE"
},
"details": "imagemagick 6.8.9.6 has remote DOS via infinite loop",
"id": "GHSA-jj2v-p4vp-x632",
"modified": "2024-04-03T23:59:56Z",
"published": "2022-05-17T19:57:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8561"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-8561"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2014-8561"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/128944/ImageMagick-Out-Of-Bounds-Read-Heap-Overflow.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2014/Nov/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/10/31/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ3X-WXRX-4X23
Vulnerability from github – Published: 2026-01-05 23:10 – Updated: 2026-01-06 16:06Summary
When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.
Impact
If optimisations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message.
Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.2"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69227"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T23:10:15Z",
"nvd_published_at": "2026-01-06T00:15:48Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body.\n\n### Impact\nIf optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message.\n\n------\n\nPatch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259",
"id": "GHSA-jj3x-wxrx-4x23",
"modified": "2026-01-06T16:06:51Z",
"published": "2026-01-05T23:10:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jj3x-wxrx-4x23"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69227"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "AIOHTTP vulnerable to DoS when bypassing asserts"
}
GHSA-JMWW-463H-74HC
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-02-03 21:30On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.
{
"affected": [],
"aliases": [
"CVE-2019-6638"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-03T19:15:00Z",
"severity": "MODERATE"
},
"details": "On BIG-IP 14.1.0-14.1.0.5 and 14.0.0-14.0.0.4, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.",
"id": "GHSA-jmww-463h-74hc",
"modified": "2023-02-03T21:30:28Z",
"published": "2022-05-24T16:49:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6638"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K67825238"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K67825238?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109106"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JPQ9-R35R-969Q
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet injection or crafted capture file
{
"affected": [],
"aliases": [
"CVE-2021-22222"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-07T13:15:00Z",
"severity": "HIGH"
},
"details": "Infinite loop in DVB-S2-BB dissector in Wireshark 3.4.0 to 3.4.5 allows denial of service via packet injection or crafted capture file",
"id": "GHSA-jpq9-r35r-969q",
"modified": "2022-05-24T19:04:14Z",
"published": "2022-05-24T19:04:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22222"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22222.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/wireshark/wireshark/-/merge_requests/3130"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-21"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5019"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2021-05.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ6P-6WG4-WRW8
Vulnerability from github – Published: 2024-07-23 15:31 – Updated: 2024-07-25 18:32go-chart v2.1.1 was discovered to contain an infinite loop via the drawCanvas() function.
{
"affected": [],
"aliases": [
"CVE-2024-40060"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-23T15:15:04Z",
"severity": "HIGH"
},
"details": "go-chart v2.1.1 was discovered to contain an infinite loop via the drawCanvas() function.",
"id": "GHSA-jq6p-6wg4-wrw8",
"modified": "2024-07-25T18:32:35Z",
"published": "2024-07-23T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40060"
},
{
"type": "WEB",
"url": "https://gist.github.com/F3iG0n9/4d0d7c863eea6874eeeb26a3073aa5f8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQ6W-JF5J-5585
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.
{
"affected": [],
"aliases": [
"CVE-2017-7618"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-10T14:59:00Z",
"severity": "HIGH"
},
"details": "crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a denial of service (API operation calling its own callback, and infinite recursion) by triggering EBUSY on a full queue.",
"id": "GHSA-jq6w-jf5j-5585",
"modified": "2022-05-13T01:47:03Z",
"published": "2022-05-13T01:47:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7618"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03800en_us"
},
{
"type": "WEB",
"url": "http://marc.info/?l=linux-crypto-vger\u0026m=149181655623850\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97534"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR3J-7G7Q-JR5M
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in an infinite loop condition that leads to denial of service condition. An attacker could leverage this vulnerability to consume excessive resources. (CNVD-C-2021-79300)
{
"affected": [],
"aliases": [
"CVE-2021-34332"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-13T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in JT2Go (All versions \u003c V13.2), Teamcenter Visualization (All versions \u003c V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. A malformed input file could result in an infinite loop condition that leads to denial of service condition. An attacker could leverage this vulnerability to consume excessive resources. (CNVD-C-2021-79300)",
"id": "GHSA-jr3j-7g7q-jr5m",
"modified": "2022-05-24T19:07:37Z",
"published": "2022-05-24T19:07:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34332"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-483182.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JR5Q-2X4Q-6MHG
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20An error within the "parse_rollei()" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to trigger an infinite loop.
{
"affected": [],
"aliases": [
"CVE-2018-5818"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-20T18:29:00Z",
"severity": "HIGH"
},
"details": "An error within the \"parse_rollei()\" function (internal/dcraw_common.cpp) within LibRaw versions prior to 0.19.1 can be exploited to trigger an infinite loop.",
"id": "GHSA-jr5q-2x4q-6mhg",
"modified": "2022-05-13T01:20:21Z",
"published": "2022-05-13T01:20:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5818"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00036.html"
},
{
"type": "WEB",
"url": "https://secuniaresearch.flexerasoftware.com/secunia_research/2018-27"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3989-1"
},
{
"type": "WEB",
"url": "https://www.libraw.org/news/libraw-0-19-2-release"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JRPF-2J6M-MXHM
Vulnerability from github – Published: 2022-05-01 02:06 – Updated: 2022-05-01 02:06aspnet_wp.exe in Microsoft ASP.NET web services allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a crafted SOAP message to an RPC/Encoded method.
{
"affected": [],
"aliases": [
"CVE-2005-2224"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-07-12T04:00:00Z",
"severity": "MODERATE"
},
"details": "aspnet_wp.exe in Microsoft ASP.NET web services allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a crafted SOAP message to an RPC/Encoded method.",
"id": "GHSA-jrpf-2j6m-mxhm",
"modified": "2022-05-01T02:06:06Z",
"published": "2022-05-01T02:06:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-2224"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/16005"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/14217"
},
{
"type": "WEB",
"url": "http://www.spidynamics.com/spilabs/advisories/aspRCP.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JRQ3-7P6Q-9M8H
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:327-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307.
{
"affected": [],
"aliases": [
"CVE-2024-11612"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T21:15:17Z",
"severity": "MODERATE"
},
"details": "7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307.",
"id": "GHSA-jrq3-7p6q-9m8h",
"modified": "2024-11-22T21:32:18Z",
"published": "2024-11-22T21:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11612"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1606"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.