CVE-2021-42692
Description
There is a stack-overflow vulnerability in tinytoml v0.4 that can cause a crash or DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- tinytoml/tinytomldescription
Patches
Vulnerability mechanics
Root cause
"Unbounded recursion in the TOML parser's `parseArray` and `parseValue` functions allows a crafted input to exhaust the call stack."
Attack vector
An attacker provides a crafted TOML input file containing deeply nested arrays (or array-like structures) that triggers unbounded recursion in the parser. The recursion between `parseArray` and `parseValue` exhausts the call stack, causing a crash or denial of service. No authentication or special network access is required; the victim only needs to parse the attacker-supplied file using `parseFile` [ref_id=1].
Affected code
The stack overflow occurs in `toml::internal::Parser::parseArray` and `toml::internal::Parser::parseValue` (both in `toml.h`), which recursively call each other without depth limiting. The entry point is `toml::parseFile` [ref_id=1].
What the fix does
The advisory does not include a patch. The reporter notes that a crafted file of roughly 10 KB can overflow an 8 MB stack, and suggests that the parser should avoid unbounded recursion. Without a fix, users must rely on external mitigations such as increasing the stack size via `ulimit -s` or limiting the nesting depth of input files [ref_id=1].
Preconditions
- inputThe victim must parse a TOML file using the `parseFile` function (or any code path that calls `toml::parse`).
- inputThe input file must contain deeply nested arrays (or equivalent recursive structures) that cause the parser's recursive calls to exceed the available stack size.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/mayah/tinytoml/issues/49mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.