VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 13, 2024· Updated Apr 15, 2026

CVE-2024-36760

CVE-2024-36760

Description

A stack overflow vulnerability was found in version 1.18.0 of rhai. The flaw position is: (/ SRC/rhai/SRC/eval/STMT. Rs in rhai: : eval: : STMT: : _ $LT $impl $u20 $rhai.. engine.. Engine$GT$::eval_stmt::h3f1d68ce37fc6e96). Due to the stack overflow is a recursive call/SRC/rhai/SRC/eval/STMT. Rs file eval_stmt_block function.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rhaicrates.io
<= 1.18.0

Patches

1
308d07a11d3b

Merge pull request #881 from schungx/master

https://github.com/rhaiscript/rhaiStephen ChungMay 23, 2024via ghsa
commit
3 files changed · +26 0
  • CHANGELOG.md+1 0 modified
    @@ -13,6 +13,7 @@ Bug fixes
 * The `sync` feature now works properly in `no-std` builds (thanks [`@misssonder`](https://github.com/misssonder) [874](https://github.com/rhaiscript/rhai/pull/874)).
 * More data-race conditions are caught and returned as errors instead of panicking.
 * Missing `min` and `max` functions where both operands are floats or `Decimal` are added.
+* Fixed stack overflow when calling closures recursively (thanks [`@MageWeiG`](https://github.com/MageWeiG) [880](https://github.com/rhaiscript/rhai/issues/880)).
 
 New features
 ------------
  • src/func/call.rs+8 0 modified
    @@ -754,6 +754,8 @@ impl Engine {
                         let scope = &mut Scope::new();
                         let environ = fn_ptr.environ.as_ref().map(<_>::as_ref);
 
+                        defer! { let orig_level = global.level; global.level += 1 }
+
                         self.call_script_fn(
                             global, caches, scope, None, environ, fn_def, args, true, pos,
                         )
@@ -832,6 +834,8 @@ impl Engine {
                         let this_ptr = Some(target.as_mut());
                         let environ = environ.as_deref();
 
+                        defer! { let orig_level = global.level; global.level += 1 }
+
                         self.call_script_fn(
                             global, caches, scope, this_ptr, environ, &fn_def, args, true, pos,
                         )
@@ -973,6 +977,8 @@ impl Engine {
                         let this_ptr = Some(target.as_mut());
                         let args = &mut call_args.iter_mut().collect::<FnArgsVec<_>>();
 
+                        defer! { let orig_level = global.level; global.level += 1 }
+
                         self.call_script_fn(
                             global, caches, scope, this_ptr, environ, &fn_def, args, true, pos,
                         )
@@ -1083,6 +1089,8 @@ impl Engine {
                         let scope = &mut Scope::new();
                         let environ = environ.as_deref();
 
+                        defer! { let orig_level = global.level; global.level += 1 }
+
                         return self.call_script_fn(
                             global, caches, scope, None, environ, &fn_def, args, true, pos,
                         );
  • tests/stack.rs+17 0 modified
    @@ -32,6 +32,23 @@ fn test_stack_overflow_fn_calls() {
             .unwrap_err(),
         EvalAltResult::ErrorStackOverflow(..)
     ));
+
+    #[cfg(not(feature = "no_function"))]
+    #[cfg(not(feature = "no_object"))]
+    assert!(matches!(
+        *engine
+            .run(
+                "
+                    let obj1 = #{
+                        action: || this.action(),	
+                        update: |x| this.action()
+                    };
+                    obj1.update(1)
+                "
+            )
+            .unwrap_err(),
+        EvalAltResult::ErrorStackOverflow(..)
+    ));
 }
 
 #[test]

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.