CWE-674
Uncontrolled Recursion
Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-230 · CAPEC-231
CVEs mapped to this weakness (235)
page 10 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-5472 | 0.00 | — | 0.00 | Jul 7, 2025 | The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a… | |||
| CVE-2025-4565 | 0.00 | — | 0.00 | Jun 16, 2025 | Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial… | |||
| CVE-2025-1752 | 0.00 | — | 0.00 | May 10, 2025 | A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper… | |||
| CVE-2025-32387 | 0.00 | — | 0.00 | Apr 9, 2025 | Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm… | |||
| CVE-2024-12910 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the… | |||
| CVE-2024-47831 | 0.00 | — | 0.01 | Oct 14, 2024 | Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU… | |||
| CVE-2024-43414 | 0.00 | — | 0.01 | Aug 27, 2024 | Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by… | |||
| CVE-2024-42369 | 0.00 | — | 0.00 | Aug 20, 2024 | matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the… | |||
| CVE-2024-44073 | 0.00 | — | 0.01 | Aug 19, 2024 | The Miniscript (aka rust-miniscript) library before 12.2.0 for Rust allows stack consumption because it does not properly track tree depth. | |||
| CVE-2024-2965 | 0.00 | — | 0.00 | Jun 6, 2024 | A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when… | |||
| CVE-2024-29904 | 0.00 | — | 0.01 | Mar 29, 2024 | CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later. | |||
| CVE-2024-28244 | 0.00 | — | 0.02 | Mar 25, 2024 | KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX… | |||
| CVE-2024-28243 | 0.00 | — | 0.01 | Mar 25, 2024 | KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an… | |||
| CVE-2024-1899 | 0.00 | — | 0.01 | Feb 26, 2024 | An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions. | |||
| CVE-2024-27454 | — | 0.00 | — | 0.01 | Feb 26, 2024 | orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. | ||
| CVE-2024-25112 | 0.00 | — | 0.00 | Feb 12, 2024 | Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function,… | |||
| CVE-2023-52079 | 0.00 | — | 0.01 | Dec 28, 2023 | msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to… | |||
| CVE-2023-50251 | 0.00 | — | 0.01 | Dec 12, 2023 | php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern… | |||
| CVE-2023-47163 | 0.00 | — | 0.01 | Nov 13, 2023 | Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition. | |||
| CVE-2023-34620 | 0.00 | — | 0.01 | Jun 14, 2023 | An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. |
- CVE-2025-5472Jul 7, 2025risk 0.00cvss —epss 0.00
The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a…
- CVE-2025-4565Jun 16, 2025risk 0.00cvss —epss 0.00
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial…
- CVE-2025-1752May 10, 2025risk 0.00cvss —epss 0.00
A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper…
- CVE-2025-32387Apr 9, 2025risk 0.00cvss —epss 0.00
Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm…
- CVE-2024-12910Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the…
- CVE-2024-47831Oct 14, 2024risk 0.00cvss —epss 0.01
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU…
- CVE-2024-43414Aug 27, 2024risk 0.00cvss —epss 0.01
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by…
- CVE-2024-42369Aug 20, 2024risk 0.00cvss —epss 0.00
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the…
- CVE-2024-44073Aug 19, 2024risk 0.00cvss —epss 0.01
The Miniscript (aka rust-miniscript) library before 12.2.0 for Rust allows stack consumption because it does not properly track tree depth.
- CVE-2024-2965Jun 6, 2024risk 0.00cvss —epss 0.00
A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when…
- CVE-2024-29904Mar 29, 2024risk 0.00cvss —epss 0.01
CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later.
- CVE-2024-28244Mar 25, 2024risk 0.00cvss —epss 0.02
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX…
- CVE-2024-28243Mar 25, 2024risk 0.00cvss —epss 0.01
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an…
- CVE-2024-1899Feb 26, 2024risk 0.00cvss —epss 0.01
An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions.
- CVE-2024-27454Feb 26, 2024risk 0.00cvss —epss 0.01
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
- CVE-2024-25112Feb 12, 2024risk 0.00cvss —epss 0.00
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function,…
- CVE-2023-52079Dec 28, 2023risk 0.00cvss —epss 0.01
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to…
- CVE-2023-50251Dec 12, 2023risk 0.00cvss —epss 0.01
php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when parsing the attributes passed to a `use` tag inside an svg document, an attacker can cause the system to go to an infinite recursion. Depending on the system configuration and attack pattern…
- CVE-2023-47163Nov 13, 2023risk 0.00cvss —epss 0.01
Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.
- CVE-2023-34620Jun 14, 2023risk 0.00cvss —epss 0.01
An issue was discovered hjson thru 3.0.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.