VYPR

CWE-674

Uncontrolled Recursion

ClassDraft

Description

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-230 · CAPEC-231

CVEs mapped to this weakness (235)

page 6 of 12
  • CVE-2017-7515MedJun 6, 2017
    risk 0.36cvss 5.5epss 0.01

    poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential denial-of-service.

  • CVE-2017-8542MedMay 26, 2017
    risk 0.36cvss 5.5epss 0.06

    The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server…

  • CVE-2017-8539MedMay 26, 2017
    risk 0.36cvss 5.5epss 0.06

    The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server…

  • CVE-2026-44740MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues…

  • CVE-2017-10910MedDec 28, 2017
    risk 0.35cvss 6.5epss 0.02

    MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may lead to an attacker causing a denial-of-service condition.

  • CVE-2026-45664MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in…

  • CVE-2026-44844MedMay 26, 2026
    risk 0.34cvss epss 0.00

    eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth…

  • CVE-2026-45740MedMay 13, 2026
    risk 0.34cvss 5.3epss 0.00

    protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested…

  • CVE-2026-47320MedJun 4, 2026
    risk 0.33cvss 6.1epss 0.00

    Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads. This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3.

  • CVE-2026-47306MedJun 4, 2026
    risk 0.33cvss 6.1epss 0.00

    Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945.

  • CVE-2026-42328MedMay 27, 2026
    risk 0.33cvss 6.2epss 0.00

    go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on…

  • CVE-2026-1681MedMay 12, 2026
    risk 0.33cvss 6.1epss 0.00

    Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the…

  • CVE-2026-43896MedMay 11, 2026
    risk 0.33cvss 6.2epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

  • CVE-2026-33947MedApr 13, 2026
    risk 0.33cvss 6.2epss 0.00

    jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An…

  • CVE-2026-34536MedMar 31, 2026
    risk 0.33cvss 6.2epss 0.00

    iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack overflow (SO) in SIccCalcOp::ArgsUsed(). The issue is observable under AddressSanitizer as a stack-overflow when…

  • CVE-2026-27601MedMar 3, 2026
    risk 0.31cvss 5.9epss 0.01

    Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a…

  • CVE-2025-53864MedJul 11, 2025
    risk 0.31cvss 5.8epss 0.01

    Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue…

  • CVE-2025-53605MedJul 5, 2025
    risk 0.31cvss 5.9epss 0.00

    The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.

  • CVE-2024-58103MedMar 16, 2025
    risk 0.31cvss 5.8epss 0.00

    Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.

  • CVE-2026-40989MedJun 1, 2026
    risk 0.30cvss 5.7epss 0.00

    Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to…