VYPR

CWE-674

Uncontrolled Recursion

ClassDraft

Description

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-230 · CAPEC-231

CVEs mapped to this weakness (235)

page 11 of 12
  • CVE-2023-1436Mar 16, 2023
    risk 0.00cvss epss 0.01

    An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

  • CVE-2023-1370Mar 13, 2023
    risk 0.00cvss epss 0.01

    [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the…

  • CVE-2021-36395Mar 6, 2023
    risk 0.00cvss epss 0.01

    In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.

  • CVE-2022-41966Dec 27, 2022
    risk 0.00cvss epss 0.09

    XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code…

  • CVE-2022-23516Dec 14, 2022
    risk 0.00cvss epss 0.01

    Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. …

  • CVE-2022-23500Dec 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source PHP based web content management system. In versions prior to 9.5.38, 10.4.33, 11.5.20, and 12.1.1, requesting invalid or non-existing resources via HTTP triggers the page error handler, which again could retrieve content to be shown as an error message…

  • CVE-2022-41881Dec 12, 2022
    risk 0.00cvss epss 0.01

    Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no…

  • CVE-2022-40150Sep 16, 2022
    risk 0.00cvss epss 0.01

    Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of…

  • CVE-2022-37315Aug 1, 2022
    risk 0.00cvss epss 0.01

    graphql-go (aka GraphQL for Go) through 0.8.0 has infinite recursion in the type definition parser.

  • CVE-2022-31173Aug 1, 2022
    risk 0.00cvss epss 0.01

    Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion…

  • CVE-2019-10761Jul 13, 2022
    risk 0.00cvss epss 0.01

    This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed" context by reaching the stack call limit with an infinite recursion. The returned object is then used to reference the mainModule property of…

  • CVE-2022-31052Jun 28, 2022
    risk 0.00cvss epss 0.02

    Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an…

  • CVE-2022-31099Jun 27, 2022
    risk 0.00cvss epss 0.01

    rulex is a new, portable, regular expression language. When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort…

  • CVE-2022-31019Jun 6, 2022
    risk 0.00cvss epss 0.01

    Vapor is a server-side Swift HTTP web framework. When using automatic content decoding an attacker can craft a request body that can make the server crash with the following request: `curl -d "array[_0][0][array][_0][0][array]$(for f in $(seq 1100); do echo -n '[_0][0][array]';…

  • CVE-2022-24878May 6, 2022
    risk 0.00cvss epss 0.01

    Flux is an open and extensible continuous delivery solution for Kubernetes. Path Traversal in the kustomize-controller via a malicious `kustomization.yaml` allows an attacker to cause a Denial of Service at the controller level. Workarounds include automated tooling in the…

  • CVE-2022-23974Apr 5, 2022
    risk 0.00cvss epss 0.02

    In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot…

  • CVE-2022-23591Feb 4, 2022
    risk 0.00cvss epss 0.01

    Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when…

  • CVE-2021-43172Nov 9, 2021
    risk 0.00cvss epss 0.01

    NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only…

  • CVE-2021-22144Jul 26, 2021
    risk 0.00cvss epss 0.02

    In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious…

  • CVE-2021-36154Jul 9, 2021
    risk 0.00cvss epss 0.02

    HTTP2ToRawGRPCServerCodec in gRPC Swift 1.1.1 and earlier allows remote attackers to deny service via the delivery of many small messages within a single HTTP/2 frame, leading to Uncontrolled Recursion and stack consumption.