VYPR

CWE-674

Uncontrolled Recursion

ClassDraft

Description

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-230 · CAPEC-231

CVEs mapped to this weakness (235)

page 2 of 12
  • CVE-2021-41737HigNov 10, 2024
    risk 0.49cvss 7.5epss 0.00

    In Faust 2.23.1, an input file with the lines "// r visualisation tCst" and "//process = +: L: abM-^Q;" and "process = route(3333333333333333333,2,1,2,3,1) : *;" leads to stack consumption.

  • CVE-2016-9597HigJul 30, 2018
    risk 0.49cvss 7.5epss 0.04

    It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service attack due to a Stack Overflow. This is a regression CVE for the same issue as…

  • CVE-2018-6003HigJan 22, 2018
    risk 0.49cvss 7.5epss 0.03

    An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.

  • CVE-2017-12964HigAug 18, 2017
    risk 0.49cvss 7.5epss 0.02

    There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.

  • CVE-2017-11556HigJul 23, 2017
    risk 0.49cvss 7.5epss 0.01

    There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.

  • CVE-2017-11554HigJul 23, 2017
    risk 0.49cvss 7.5epss 0.02

    There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

  • CVE-2017-11164HigJul 11, 2017
    risk 0.49cvss 7.5epss 0.03

    In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

  • CVE-2017-9766HigJun 21, 2017
    risk 0.49cvss 7.5epss 0.04

    In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c.

  • CVE-2017-9729HigJun 16, 2017
    risk 0.49cvss 7.5epss 0.01

    In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression.

  • CVE-2017-9438HigJun 5, 2017
    risk 0.49cvss 7.5epss 0.03

    libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule (involving hex strings) that is mishandled in the _yr_re_emit function, a different vulnerability than CVE-2017-9304.

  • CVE-2017-9304HigMay 31, 2017
    risk 0.49cvss 7.5epss 0.02

    libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule that is mishandled in the _yr_re_emit function.

  • CVE-2017-5839HigFeb 9, 2017
    risk 0.49cvss 7.5epss 0.04

    The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested…

  • CVE-2016-3627HigMay 17, 2016
    risk 0.49cvss 7.5epss 0.07

    The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.

  • CVE-2007-3409HigJun 26, 2007
    risk 0.49cvss 7.5epss 0.03

    Net::DNS before 0.60, a Perl module, allows remote attackers to cause a denial of service (stack consumption) via a malformed compressed DNS packet with self-referencing pointers, which triggers an infinite loop.

  • CVE-2024-49363HigDec 18, 2024
    risk 0.48cvss 7.4epss 0.00

    Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified…

  • CVE-2025-24302MedAug 12, 2025
    risk 0.44cvss 6.7epss 0.00

    Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2018-0739MedMar 27, 2018
    risk 0.44cvss 6.5epss 0.19

    Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from…

  • CVE-2017-16419MedDec 9, 2017
    risk 0.43cvss 6.5epss 0.07

    An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The issue is a stack exhaustion problem within the JavaScript API, where the…

  • CVE-2026-46373HigJun 9, 2026
    risk 0.42cvss 7.5epss 0.00

    SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive…

  • CVE-2026-49847HigJun 9, 2026
    risk 0.42cvss 7.5epss 0.00

    FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested…