VYPR

CWE-674

Uncontrolled Recursion

ClassDraft

Description

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-230 · CAPEC-231

CVEs mapped to this weakness (235)

page 8 of 12
  • CVE-2025-59364MedSep 14, 2025
    risk 0.27cvss 5.3epss 0.00

    The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body.

  • CVE-2024-54731MedJan 8, 2025
    risk 0.26cvss 4.0epss 0.00

    cpdf through 2.8 allows stack consumption via a crafted PDF document.

  • CVE-2026-0989LowJan 15, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive…

  • CVE-2018-18020LowOct 6, 2018
    risk 0.22cvss 3.3epss 0.01

    In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and QPDFWriter::unparseChild have recursive calls for a long time, which allows remote attackers to cause a denial of service via a crafted PDF file.

  • CVE-2026-9358MedMay 24, 2026
    risk 0.21cvss 4.3epss 0.00

    A vulnerability was determined in postcss-selector-parser up to 6.1.2/7.1.2. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the…

  • CVE-2026-42445LowMay 12, 2026
    risk 0.21cvss 3.3epss 0.00

    NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPaths recurses into subdirectories without any depth limit or visited-inode…

  • CVE-2026-42355LowMay 12, 2026
    risk 0.21cvss 3.3epss 0.00

    NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and…

  • CVE-2026-33532MedMar 26, 2026
    risk 0.21cvss 4.3epss 0.00

    `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive…

  • CVE-2026-4833LowMar 26, 2026
    risk 0.21cvss 3.3epss 0.00

    A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled recursion. The attack is restricted to local execution. The exploit has been made…

  • CVE-2026-3388LowMar 1, 2026
    risk 0.21cvss 3.3epss 0.00

    A vulnerability was found in Squirrel up to 3.2. This affects the function SQCompiler::Factor/SQCompiler::UnaryOP of the file squirrel/sqcompiler.cpp. Performing a manipulation results in uncontrolled recursion. The attack needs to be approached locally. The exploit has been…

  • CVE-2026-3385LowMar 1, 2026
    risk 0.21cvss 3.3epss 0.00

    A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project…

  • CVE-2026-3384LowMar 1, 2026
    risk 0.21cvss 3.3epss 0.00

    A security vulnerability has been detected in ChaiScript up to 6.1.0. This impacts the function chaiscript::eval::AST_Node_Impl::eval/chaiscript::eval::Function_Push_Pop of the file include/chaiscript/language/chaiscript_eval.hpp. The manipulation leads to uncontrolled…

  • CVE-2026-2641LowFeb 18, 2026
    risk 0.21cvss 3.3epss 0.00

    A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to…

  • CVE-2025-67899LowDec 14, 2025
    risk 0.19cvss 2.9epss 0.00

    uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.

  • CVE-2026-2887LowFeb 21, 2026
    risk 0.14cvss 3.3epss 0.00

    A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The…

  • CVE-2025-11896LowOct 16, 2025
    risk 0.14cvss epss 0.00

    In Xpdf 4.05 (and earlier), a PDF object loop in a CMap, via the "UseCMap" entry, leads to infinite recursion and a stack overflow.

  • CVE-2025-8732LowAug 8, 2025
    risk 0.14cvss 3.3epss 0.00

    A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has…

  • CVE-2026-39396LowApr 21, 2026
    risk 0.13cvss 3.1epss 0.00

    OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via `io.Copy` with no upper bound on the…

  • CVE-2025-43718LowOct 1, 2025
    risk 0.12cvss 2.9epss 0.00

    Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expression for a long pdfsubver string. This occurs in Dict::lookup,…

  • CVE-2021-42697Nov 2, 2021
    risk 0.06cvss epss 0.36

    Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.