VYPR

CWE-834

Excessive Iteration

ClassIncomplete

Description

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration.

Hierarchy (View 1000)

CVEs mapped to this weakness (65)

page 3 of 4
  • CVE-2018-5252MedJan 5, 2018
    risk 0.35cvss 5.3epss 0.01

    libimageworsener.a in ImageWorsener 1.3.2, when libjpeg 8d is used, has a large loop in the get_raw_sample_int function in imagew-main.c.

  • CVE-2026-45680MedJun 2, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very…

  • CVE-2026-34043MedMar 31, 2026
    risk 0.31cvss 5.9epss 0.00

    Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from…

  • CVE-2016-7421MedDec 10, 2016
    risk 0.29cvss 4.4epss 0.00

    The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.

  • CVE-2026-41168MedApr 22, 2026
    risk 0.27cvss 5.3epss 0.00

    pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong…

  • CVE-2026-40347MedApr 18, 2026
    risk 0.27cvss 5.3epss 0.00

    Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to the…

  • CVE-2024-4603MedMay 16, 2024
    risk 0.27cvss 5.3epss 0.01

    Issue summary: Checking excessively long DSA keys or parameters may be very slow. Impact summary: Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or…

  • CVE-2026-48156LowMay 28, 2026
    risk 0.14cvss 3.3epss 0.00

    pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in…

  • CVE-2026-27025Feb 20, 2026
    risk 0.00cvss epss 0.00

    pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for…

  • CVE-2025-62707Oct 22, 2025
    risk 0.00cvss epss 0.00

    pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This…

  • CVE-2025-56571Sep 30, 2025
    risk 0.00cvss epss 0.00

    Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.

  • CVE-2024-25144Feb 8, 2024
    risk 0.00cvss epss 0.01

    The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older unsupported versions, and Liferay DXP 7.4 before update 27, 7.3 before update 6, 7.2 before fix pack 19, and older unsupported versions does not check the URL of the IFrame, which allows remote authenticated…

  • CVE-2023-49316Nov 27, 2023
    risk 0.00cvss epss 0.01

    In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively large degrees can lead to a denial of service.

  • CVE-2023-4043Nov 3, 2023
    risk 0.00cvss epss 0.01

    In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to…

  • CVE-2023-29407Aug 2, 2023
    risk 0.00cvss epss 0.01

    A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.

  • CVE-2023-38200Jul 24, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.

  • CVE-2023-26513Mar 20, 2023
    risk 0.00cvss epss 0.01

    Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger.This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.

  • CVE-2022-3616Oct 28, 2022
    risk 0.00cvss epss 0.00

    Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya…

  • CVE-2022-36083Sep 7, 2022
    risk 0.00cvss epss 0.01

    JOSE is "JSON Web Almost Everything" - JWA, JWS, JWE, JWT, JWK, JWKS with no dependencies using runtime's native crypto in Node.js, Browser, Cloudflare Workers, Electron, and Deno. The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` PBES2…

  • CVE-2021-39204Sep 9, 2021
    risk 0.00cvss epss 0.02

    Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles resetting of HTTP/2 streams with excessive complexity. This can lead to high CPU utilization when a large number of streams are reset. This can result in a DoS…