CWE-674
Uncontrolled Recursion
Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-230 · CAPEC-231
CVEs mapped to this weakness (235)
page 9 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-14235 | — | 0.01 | — | 0.03 | Aug 2, 2019 | An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences. | ||
| CVE-2026-54269 | 0.00 | — | 0.00 | Jun 15, 2026 | ## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection… | |||
| CVE-2026-47180 | 0.00 | — | 0.00 | May 29, 2026 | ### Impact `DNSIncoming._decode_labels_at_offset` recurses once per DNS-name compression pointer (RFC 1035 §4.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers… | |||
| CVE-2026-46217 | 0.00 | — | 0.00 | May 28, 2026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||
| CVE-2026-33508 | 0.00 | — | 0.00 | Mar 24, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing… | |||
| CVE-2026-33498 | 0.00 | — | 0.00 | Mar 24, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang… | |||
| CVE-2026-33320 | 0.00 | — | 0.00 | Mar 24, 2026 | Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The… | |||
| CVE-2026-26209 | 0.00 | — | 0.00 | Mar 23, 2026 | cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This… | |||
| CVE-2026-32944 | 0.00 | — | 0.00 | Mar 18, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators.… | |||
| CVE-2026-32141 | — | 0.00 | — | 0.01 | Mar 12, 2026 | flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded,… | ||
| CVE-2026-25048 | 0.00 | — | 0.01 | Mar 5, 2026 | xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32. | |||
| CVE-2026-3520 | 0.00 | — | 0.01 | Mar 4, 2026 | Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to… | |||
| CVE-2026-25971 | 0.00 | — | 0.00 | Feb 24, 2026 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch. | |||
| CVE-2025-50537 | 0.00 | — | 0.00 | Jan 26, 2026 | Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the… | |||
| CVE-2025-68950 | 0.00 | — | 0.00 | Dec 30, 2025 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows… | |||
| CVE-2025-68618 | 0.00 | — | 0.01 | Dec 30, 2025 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue. | |||
| CVE-2025-66031 | 0.00 | — | 0.00 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded… | |||
| CVE-2025-9624 | 0.00 | — | 0.00 | Nov 25, 2025 | A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4. | |||
| CVE-2025-57809 | 0.00 | — | 0.00 | Aug 25, 2025 | XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21. | |||
| CVE-2025-48924 | 0.00 | — | 0.02 | Jul 11, 2025 | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can… |
- CVE-2019-14235Aug 2, 2019risk 0.01cvss —epss 0.03
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
- CVE-2026-54269Jun 15, 2026risk 0.00cvss —epss 0.00
## Summary protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named `hasOwnProperty`, field or oneof names such as `$type` when loaded through protobufjs JSON/reflection…
- CVE-2026-47180May 29, 2026risk 0.00cvss —epss 0.00
### Impact `DNSIncoming._decode_labels_at_offset` recurses once per DNS-name compression pointer (RFC 1035 §4.1.4). Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single ~3 kB mDNS packet carrying ~1500 chained pointers…
- CVE-2026-46217May 28, 2026risk 0.00cvss —epss 0.00
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- CVE-2026-33508Mar 24, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing…
- CVE-2026-33498Mar 24, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang…
- CVE-2026-33320Mar 24, 2026risk 0.00cvss —epss 0.00
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The…
- CVE-2026-26209Mar 23, 2026risk 0.00cvss —epss 0.00
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This…
- CVE-2026-32944Mar 18, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators.…
- CVE-2026-32141Mar 12, 2026risk 0.00cvss —epss 0.01
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded,…
- CVE-2026-25048Mar 5, 2026risk 0.00cvss —epss 0.01
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
- CVE-2026-3520Mar 4, 2026risk 0.00cvss —epss 0.01
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to…
- CVE-2026-25971Feb 24, 2026risk 0.00cvss —epss 0.00
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
- CVE-2025-50537Jan 26, 2026risk 0.00cvss —epss 0.00
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the…
- CVE-2025-68950Dec 30, 2025risk 0.00cvss —epss 0.00
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, Magick fails to check for circular references between two MVGs, leading to a stack overflow. This is a DoS vulnerability, and any situation that allows…
- CVE-2025-68618Dec 30, 2025risk 0.00cvss —epss 0.01
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue.
- CVE-2025-66031Nov 26, 2025risk 0.00cvss —epss 0.00
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded…
- CVE-2025-9624Nov 25, 2025risk 0.00cvss —epss 0.00
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4.
- CVE-2025-57809Aug 25, 2025risk 0.00cvss —epss 0.00
XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.
- CVE-2025-48924Jul 11, 2025risk 0.00cvss —epss 0.02
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can…