Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-674 (未经控制的递归) — Vulnerability Class 147

147 vulnerabilities classified as CWE-674 (未经控制的递归). AI Chinese analysis included.

CWE-674 represents a resource management weakness where software fails to properly limit recursive function calls, leading to excessive consumption of system resources like memory or the program stack. This flaw is typically exploited by attackers who craft specific inputs that trigger deep or infinite recursion, causing the application to crash or become unresponsive. Such exploitation results in a denial-of-service condition, effectively disrupting service availability for legitimate users without requiring authentication or complex privilege escalation. To mitigate this risk, developers must implement robust safeguards, such as setting explicit maximum recursion depth limits or converting recursive algorithms into iterative ones using explicit data structures. Additionally, rigorous code reviews and static analysis tools can help identify potential infinite loops, ensuring that all recursive paths have clear termination conditions and adequate resource controls.

MITRE CWE Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Common Consequences (2)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.
ConfidentialityRead Application Data
In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's insta…
Mitigations (2)
ImplementationEnsure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Effectiveness: Moderate
ImplementationIncrease the stack size.
Effectiveness: Limited
Examples (1)
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg) { ... // Do some real work here, but the value of flg is unmodified if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes } int flag = 1; // Set to TRUE do_something_recursive (flag);
Bad · C
void do_something_recursive (int flg) { ... // Do some real work here // Modify value of flg on done condition if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0 } int flag = 1; // Set to TRUE do_something_recursive (flag);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-41311 LiquidJS is vulnerable to Denial of Service via circular block reference in layout — liquidjs 7.5 High2026-05-09
CVE-2026-41673 xmldom: Denial of service via uncontrolled recursion in XML serialization — xmldom 7.5AIHighAI2026-05-07
CVE-2026-44028 Nix和lix 安全漏洞 — Nix 7.5 High2026-05-05
CVE-2026-7164 pf can overflow the stack parsing crafted SCTP packets — FreeBSD 7.5 -2026-04-30
CVE-2026-5409 Uncontrolled Recursion in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-5408 Uncontrolled Recursion in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-5406 Uncontrolled Recursion in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-5299 Uncontrolled Recursion in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-5401 Uncontrolled Recursion in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-6527 Uncontrolled Recursion in Wireshark — Wireshark 5.5 Medium2026-04-30
CVE-2026-41636 Apache Thrift: Node.js skip() recursion — Apache Thrift 7.5AIHighAI2026-04-28
CVE-2026-41606 Apache Thrift: c_glib dispatch stack overflow — Apache Thrift 7.5AIHighAI2026-04-28
CVE-2018-25282 Nmap 7.70 Denial of Service via XML Entity Expansion — ZenMap 6.2 Medium2026-04-26
CVE-2026-42039 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data — axios 7.5AIHighAI2026-04-24
CVE-2026-6862 Efivar: efivar: denial of service due to stack overflow in device path node parsing — Red Hat Enterprise Linux 10 5.5 Medium2026-04-22
CVE-2026-40879 Nest: DoS via Recursive handleData in JsonSocket (TCP Transport) — nest 7.5 High2026-04-21
CVE-2026-40324 Hot Chocolate's Utf8GraphQLParser has Stack Overflow via Deeply Nested GraphQL Documents — graphql-platform 9.1 Critical2026-04-17
CVE-2026-33947 jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted() — jq 6.2 Medium2026-04-13
CVE-2026-33908 ImageMagick is vulnerable to Stack Overflow in DestroyXMLTree() — ImageMagick 7.5 High2026-04-13
CVE-2026-33902 ImageMagick: Stack Overflow via Recursive FX Expression Parsing — ImageMagick 5.5 Medium2026-04-13
CVE-2026-39376 FastFeedParser has an infinite redirect loop DoS via meta-refresh chain — fastfeedparser 7.5 High2026-04-07
CVE-2026-34211 SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser — SandboxJS 7.5AIHighAI2026-04-06
CVE-2026-3778 Stack exhaustion caused by cyclic references in Foxit PDF Editor/Reader — Foxit PDF Editor 6.2 Medium2026-04-01
CVE-2026-34536 iccDEV: SO in SIccCalcOp::ArgsUsed() — iccDEV 6.2 Medium2026-03-31
CVE-2026-33532 yaml is vulnerable to Stack Overflow via deeply nested YAML collections — yaml 4.3 Medium2026-03-26
CVE-2026-4833 Orc discount Markdown markdown.c compile recursion — discount 3.3 Low2026-03-26
CVE-2026-33508 Parse Server: LiveQuery subscription query depth bypass — parse-server 7.5 -2026-03-24
CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline — parse-server 7.5 -2026-03-24
CVE-2026-33320 Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service — dasel 6.2 Medium2026-03-24
CVE-2026-26209 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads — cbor2 7.5 -2026-03-23

Vulnerabilities classified as CWE-674 (未经控制的递归) represent 147 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.