Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-674 (未经控制的递归) — Vulnerability Class 159

159 vulnerabilities classified as CWE-674 (未经控制的递归). AI Chinese analysis included.

CWE-674 represents a resource management weakness where software fails to properly limit recursive function calls, leading to excessive consumption of system resources like memory or the program stack. This flaw is typically exploited by attackers who craft specific inputs that trigger deep or infinite recursion, causing the application to crash or become unresponsive. Such exploitation results in a denial-of-service condition, effectively disrupting service availability for legitimate users without requiring authentication or complex privilege escalation. To mitigate this risk, developers must implement robust safeguards, such as setting explicit maximum recursion depth limits or converting recursive algorithms into iterative ones using explicit data structures. Additionally, rigorous code reviews and static analysis tools can help identify potential infinite loops, ensuring that all recursive paths have clear termination conditions and adequate resource controls.

MITRE CWE Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Common Consequences (2)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.
ConfidentialityRead Application Data
In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's insta…
Mitigations (2)
ImplementationEnsure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Effectiveness: Moderate
ImplementationIncrease the stack size.
Effectiveness: Limited
Examples (1)
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg) { ... // Do some real work here, but the value of flg is unmodified if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes } int flag = 1; // Set to TRUE do_something_recursive (flag);
Bad · C
void do_something_recursive (int flg) { ... // Do some real work here // Modify value of flg on done condition if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0 } int flag = 1; // Set to TRUE do_something_recursive (flag);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-52079 Conversion of property names to strings can trigger infinite recursion — msgpackr 6.8 Medium2023-12-28
CVE-2023-50269 SQUID-2023:10 Denial of Service in HTTP Request parsing — squid 8.6 High2023-12-14
CVE-2023-50251 php-svg-lib possible DoS caused by infinite recursion when parsing SVG document — php-svg-lib 5.3 Medium2023-12-12
CVE-2022-47374 编号已被CVE保留 — SIMATIC PC-Station Plus 7.5 High2023-12-12
CVE-2023-49800 Denial of service by abusing `fetchOptions.retry` in nuxt-api-party — nuxt-api-party 7.5 High2023-12-08
CVE-2023-4512 Uncontrolled Recursion in Wireshark — Wireshark 5.3 Medium2023-08-24
CVE-2023-2664 Stack overflow in Xpdf 4.04 due to object loop in PDF embedded file tree — Xpdf 2.9 Low2023-05-11
CVE-2023-2663 Stack overflow in Xpdf 4.04 due to object loop in PDF page label tree — Xpdf 2.9 Low2023-05-11
CVE-2023-24472 OpenImageIO 安全漏洞 — OpenImageIO 7.5 High2023-03-30
CVE-2023-1436 Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray — jettison 5.9 Medium2023-03-16
CVE-2023-1370 Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON — json-smart 7.5 High2023-03-13
CVE-2022-23516 Uncontrolled Recursion in Loofah — loofah 7.5 High2022-12-14
CVE-2022-23500 TYPO3 subject to Uncontrolled Recursion resulting in Denial of Service — typo3 5.9 Medium2022-12-14
CVE-2022-41881 Netty 安全漏洞 — netty 5.3 Medium2022-12-12
CVE-2022-27810 Facebook Hermes 安全漏洞 — Hermes 7.5 -2022-10-06
CVE-2022-31628 phar wrapper can occur dos when using quine gzip file — PHP 2.3 Low2022-09-28
CVE-2022-3222 Uncontrolled Recursion in gpac/gpac — gpac/gpac 5.5 -2022-09-15
CVE-2021-3997 systemd 安全漏洞 — systemd 5.5 -2022-08-23
CVE-2022-31052 URL previews can crash Synapse media repositories or Synapse monoliths — synapse 6.5 Medium2022-06-28
CVE-2022-31099 Uncontrolled Recursion in rulex — rulex 6.5 Medium2022-06-27
CVE-2022-1771 Uncontrolled Recursion in vim/vim — vim/vim 5.5 -2022-05-18
CVE-2022-28773 SAP Web Dispatcher 和 SAP Internet Communication Manager 资源管理错误漏洞 — SAP NetWeaver (Internet Communication Manager) 7.5 -2022-04-12
CVE-2022-23974 Pinot segment push endpoint has a vulnerability in unprotected environments — Apache Pinot 7.5 -2022-04-05
CVE-2022-23606 Crash when a cluster is deleted in Envoy — envoy 4.4 Medium2022-02-22
CVE-2021-43172 Infinite length chain of RRDP repositories — Routinator 7.5 -2021-11-09
CVE-2021-28210 SUSE ovmf 安全漏洞 — EDK II 7.1 -2021-06-11
CVE-2021-3530 GNU Binutils 安全漏洞 — binutils 7.5 -2021-06-02
CVE-2021-30471 Sourceforge PoDoFo 安全漏洞 — podofo 6.5 -2021-05-26
CVE-2021-30470 Sourceforge PoDoFo 安全漏洞 — podofo 5.5 -2021-05-26
CVE-2021-27432 Siemens SIMATIC OPC UA 安全漏洞 — OPC Foundation OPC UA .NET Standard and OPC UA .NET Legacy 7.5 -2021-05-20

Vulnerabilities classified as CWE-674 (未经控制的递归) represent 159 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.