Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-674 (未经控制的递归) — Vulnerability Class 147

147 vulnerabilities classified as CWE-674 (未经控制的递归). AI Chinese analysis included.

CWE-674 represents a resource management weakness where software fails to properly limit recursive function calls, leading to excessive consumption of system resources like memory or the program stack. This flaw is typically exploited by attackers who craft specific inputs that trigger deep or infinite recursion, causing the application to crash or become unresponsive. Such exploitation results in a denial-of-service condition, effectively disrupting service availability for legitimate users without requiring authentication or complex privilege escalation. To mitigate this risk, developers must implement robust safeguards, such as setting explicit maximum recursion depth limits or converting recursive algorithms into iterative ones using explicit data structures. Additionally, rigorous code reviews and static analysis tools can help identify potential infinite loops, ensuring that all recursive paths have clear termination conditions and adequate resource controls.

MITRE CWE Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Common Consequences (2)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.
ConfidentialityRead Application Data
In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's insta…
Mitigations (2)
ImplementationEnsure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Effectiveness: Moderate
ImplementationIncrease the stack size.
Effectiveness: Limited
Examples (1)
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg) { ... // Do some real work here, but the value of flg is unmodified if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes } int flag = 1; // Set to TRUE do_something_recursive (flag);
Bad · C
void do_something_recursive (int flg) { ... // Do some real work here // Modify value of flg on done condition if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0 } int flag = 1; // Set to TRUE do_something_recursive (flag);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-32933 AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion — AutoMapper 7.5 High2026-03-20
CVE-2026-32944 Parse Server crash via deeply nested query condition operators — parse-server 7.5 -2026-03-18
CVE-2026-30922 pyasn1 Vulnerable to Denial of Service via Unbounded Recursion — pyasn1 7.5 High2026-03-18
CVE-2026-31899 CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification — CairoSVG 7.5 High2026-03-13
CVE-2026-32141 flatted: Unbounded recursion DoS in parse() revive phase — flatted 7.5 High2026-03-12
CVE-2026-1069 Uncontrolled Recursion in GitLab — GitLab 7.5 High2026-03-11
CVE-2026-29076 cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing — cpp-httplib 5.9 Medium2026-03-07
CVE-2026-25048 xgrammar: Multi-layer nesting causes DoS — xgrammar 7.5 -2026-03-05
CVE-2026-3520 Multer vulnerable to Denial of Service via uncontrolled recursion — multer 7.5 -2026-03-04
CVE-2026-3388 Squirrel sqcompiler.cpp UnaryOP recursion — Squirrel 3.3 Low2026-03-01
CVE-2026-3385 wren-lang wren wren_compiler.c resolveLocal recursion — wren 3.3 Low2026-03-01
CVE-2026-3384 ChaiScript chaiscript_eval.hpp Function_Push_Pop recursion — ChaiScript 3.3 Low2026-03-01
CVE-2026-25971 ImageMagick's MSL: Stack overflow in ProcessMSLScript — ImageMagick 6.2 Medium2026-02-24
CVE-2026-2887 aardappel lobster idents.h TypeName recursion — lobster 3.3 Low2026-02-21
CVE-2026-27014 NanZip has ROMFS Archive Infinite Loop / Stack Overflow — NanaZip 6.2 -2026-02-19
CVE-2026-2641 universal-ctags V Language v.c parseExprList recursion — ctags 3.3 Low2026-02-18
CVE-2026-1849 Mongod can run out of stack memory when expressions create deeply nested documents — MongoDB Server 6.5 Medium2026-02-10
CVE-2025-36001 IBM Db2 Denial of Service — Db2 for Linux, UNIX and Windows 6.5 Medium2026-01-30
CVE-2026-22260 Suricata http1: infinite recursion in decompression — suricata 7.5 High2026-01-27
CVE-2026-24401 Avahi has Uncontrolled Recursion in lookup_handle_cname function — avahi 6.5 Medium2026-01-24
CVE-2026-0994 Denial of Service in Python Protobuf — Protobuf 7.5 -2026-01-23
CVE-2026-0989 Libxml2: unbounded relaxng include recursion leading to stack overflow — Red Hat Hardened Images 3.7 Low2026-01-15
CVE-2026-0990 Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing — Red Hat Hardened Images 5.9 Medium2026-01-15
CVE-2025-68950 Magick's failure to limit MVG mutual references forming a loop — ImageMagick 4.0 Medium2025-12-30
CVE-2025-68618 Magick's failure to limit the depth of SVG file reads caused a DoS attack. — ImageMagick 5.3 Medium2025-12-30
CVE-2025-67899 Uriparser 安全漏洞 — uriparser 2.9 Low2025-12-14
CVE-2025-59789 Apache bRPC: Stack Exhaustion via Unbounded Recursion in JSON Parser — Apache bRPC 7.5AIHighAI2025-12-01
CVE-2025-66031 node-forge ASN.1 Unbounded Recursion — forge 7.5AIHighAI2025-11-26
CVE-2025-9624 OpenSearch 3.2.0 - Nested Boolean/Disjunction asymmetric DoS — OpenSearch 7.5AIHighAI2025-11-25
CVE-2025-36158 IBM Concert Information Disclosure — Concert 5.1 Medium2025-11-20

Vulnerabilities classified as CWE-674 (未经控制的递归) represent 147 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.