CWE-674
Uncontrolled Recursion
Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-230 · CAPEC-231
CVEs mapped to this weakness (235)
page 11 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-1436 | — | 0.00 | — | 0.01 | Mar 16, 2023 | An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown. | ||
| CVE-2023-1370 | 0.00 | — | 0.01 | Mar 13, 2023 | [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the… | |||
| CVE-2021-36395 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. | |||
| CVE-2022-41966 | 0.00 | — | 0.09 | Dec 27, 2022 | XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code… | |||
| CVE-2022-23516 | 0.00 | — | 0.01 | Dec 14, 2022 | Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. … | |||
| CVE-2022-23500 | 0.00 | — | 0.01 | Dec 14, 2022 | TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message… | |||
| CVE-2022-41881 | 0.00 | — | 0.01 | Dec 12, 2022 | Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no… | |||
| CVE-2022-40150 | — | 0.00 | — | 0.01 | Sep 16, 2022 | Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of… | ||
| CVE-2022-37315 | — | 0.00 | — | 0.01 | Aug 1, 2022 | graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser. | ||
| CVE-2022-31173 | — | 0.00 | — | 0.01 | Aug 1, 2022 | Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion… | ||
| CVE-2019-10761 | 0.00 | — | 0.01 | Jul 13, 2022 | This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of… | |||
| CVE-2022-31052 | 0.00 | — | 0.02 | Jun 28, 2022 | Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an… | |||
| CVE-2022-31099 | 0.00 | — | 0.01 | Jun 27, 2022 | rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort… | |||
| CVE-2022-31019 | 0.00 | — | 0.01 | Jun 6, 2022 | Vapor is a server-side Swift HTTP web framework. When using automatic content decoding an attacker can craft a request body that can make the server crash with the following request: `curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]';… | |||
| CVE-2022-24878 | 0.00 | — | 0.01 | May 6, 2022 | Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the… | |||
| CVE-2022-23974 | — | 0.00 | — | 0.02 | Apr 5, 2022 | In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot… | ||
| CVE-2022-23591 | 0.00 | — | 0.01 | Feb 4, 2022 | Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when… | |||
| CVE-2021-43172 | — | 0.00 | — | 0.01 | Nov 9, 2021 | NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only… | ||
| CVE-2021-22144 | — | 0.00 | — | 0.02 | Jul 26, 2021 | In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious… | ||
| CVE-2021-36154 | — | 0.00 | — | 0.02 | Jul 9, 2021 | HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption. |
- CVE-2023-1436Mar 16, 2023risk 0.00cvss —epss 0.01
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
- CVE-2023-1370Mar 13, 2023risk 0.00cvss —epss 0.01
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the…
- CVE-2021-36395Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
- CVE-2022-41966Dec 27, 2022risk 0.00cvss —epss 0.09
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code…
- CVE-2022-23516Dec 14, 2022risk 0.00cvss —epss 0.01
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. …
- CVE-2022-23500Dec 14, 2022risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message…
- CVE-2022-41881Dec 12, 2022risk 0.00cvss —epss 0.01
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no…
- CVE-2022-40150Sep 16, 2022risk 0.00cvss —epss 0.01
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of…
- CVE-2022-37315Aug 1, 2022risk 0.00cvss —epss 0.01
graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.
- CVE-2022-31173Aug 1, 2022risk 0.00cvss —epss 0.01
Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion…
- CVE-2019-10761Jul 13, 2022risk 0.00cvss —epss 0.01
This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of…
- CVE-2022-31052Jun 28, 2022risk 0.00cvss —epss 0.02
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an…
- CVE-2022-31099Jun 27, 2022risk 0.00cvss —epss 0.01
rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort…
- CVE-2022-31019Jun 6, 2022risk 0.00cvss —epss 0.01
Vapor is a server-side Swift HTTP web framework. When using automatic content decoding an attacker can craft a request body that can make the server crash with the following request: `curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]';…
- CVE-2022-24878May 6, 2022risk 0.00cvss —epss 0.01
Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the…
- CVE-2022-23974Apr 5, 2022risk 0.00cvss —epss 0.02
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot…
- CVE-2022-23591Feb 4, 2022risk 0.00cvss —epss 0.01
Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when…
- CVE-2021-43172Nov 9, 2021risk 0.00cvss —epss 0.01
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only…
- CVE-2021-22144Jul 26, 2021risk 0.00cvss —epss 0.02
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious…
- CVE-2021-36154Jul 9, 2021risk 0.00cvss —epss 0.02
HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption.