Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-674 (未经控制的递归) — Vulnerability Class 147

147 vulnerabilities classified as CWE-674 (未经控制的递归). AI Chinese analysis included.

CWE-674 represents a resource management weakness where software fails to properly limit recursive function calls, leading to excessive consumption of system resources like memory or the program stack. This flaw is typically exploited by attackers who craft specific inputs that trigger deep or infinite recursion, causing the application to crash or become unresponsive. Such exploitation results in a denial-of-service condition, effectively disrupting service availability for legitimate users without requiring authentication or complex privilege escalation. To mitigate this risk, developers must implement robust safeguards, such as setting explicit maximum recursion depth limits or converting recursive algorithms into iterative ones using explicit data structures. Additionally, rigorous code reviews and static analysis tools can help identify potential infinite loops, ensuring that all recursive paths have clear termination conditions and adequate resource controls.

MITRE CWE Description
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Common Consequences (2)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)
Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.
ConfidentialityRead Application Data
In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's insta…
Mitigations (2)
ImplementationEnsure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Effectiveness: Moderate
ImplementationIncrease the stack size.
Effectiveness: Limited
Examples (1)
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg) { ... // Do some real work here, but the value of flg is unmodified if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes } int flag = 1; // Set to TRUE do_something_recursive (flag);
Bad · C
void do_something_recursive (int flg) { ... // Do some real work here // Modify value of flg on done condition if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0 } int flag = 1; // Set to TRUE do_something_recursive (flag);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-11896 Stack overflow in Xpdf 4.05 due to object loop in PDF CMap — Xpdf 5.5AIMediumAI2025-10-16
CVE-2025-54858 BIG-IP Advanced WAF and ASM vulnerability — BIG-IP 7.5 High2025-10-15
CVE-2025-33096 IBM Engineering Requirements Management Doors Next denial of service — Engineering Requirements Management Doors Next 6.5 Medium2025-10-12
CVE-2025-61766 Bucket vulnerable to infinite recursion when querying a bucket using the != operator — mediawiki-extensions-Bucket 6.5 Medium2025-10-06
CVE-2025-10728 Uncontrolled recursion in Qt SVG module — Qt 6.2AIMediumAI2025-10-03
CVE-2025-43718 Poppler 安全漏洞 — Poppler 2.9 Low2025-10-01
CVE-2025-59364 Express XSS Sanitizer 安全漏洞 — Express XSS Sanitizer 5.3 Medium2025-09-14
CVE-2025-9714 Stack overflow in libxml2 — libxml2 6.2 Medium2025-09-10
CVE-2025-57809 XGrammar affected by Denial of Service by infinite recursion grammars — xgrammar 6.5AIMediumAI2025-08-25
CVE-2025-5302 Denial of Service (DOS) in JSONReader in run-llama/llama_index — run-llama/llama_index 7.5 -2025-08-25
CVE-2025-8732 libxml2 xmlcatalog xmlParseSGMLCatalog recursion — libxml2 3.3 Low2025-08-08
CVE-2025-23325 NVIDIA Triton Inference Server 安全漏洞 — Triton Inference Server 7.5 High2025-08-06
CVE-2024-58264 serde-json-wasm crate 安全漏洞 — serde-json-wasm 3.2 Low2025-07-27
CVE-2025-48924 Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs — Apache Commons Lang 7.5AIHighAI2025-07-11
CVE-2025-53864 Connect2id Nimbus JOSE + JWT 安全漏洞 — Nimbus JOSE+JWT 5.8 Medium2025-07-11
CVE-2025-5472 Denial of Service via Uncontrolled Recursive JSON Parsing in JSONReader in run-llama/llama_index — run-llama/llama_index 7.5 -2025-07-07
CVE-2025-53605 protobuf crate 安全漏洞 — protobuf 5.9 Medium2025-07-05
CVE-2025-6710 Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB — MongoDB Server 7.5 High2025-06-26
CVE-2025-4565 Unbounded recursion in Python Protobuf — Python-Protobuf 7.5 -2025-06-16
CVE-2025-20678 MediaTek Chipsets 安全漏洞 — MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 7.5AIHighAI2025-06-02
CVE-2025-30193 Denial of service via crafted TCP exchange — DNSdist 7.5 High2025-05-20
CVE-2025-1752 Denial of Service in run-llama/llama_index — run-llama/llama_index 7.5AIHighAI2025-05-10
CVE-2025-43708 VisiCut 安全漏洞 — VisiCut 3.3 Low2025-04-17
CVE-2024-12910 Denial of Service in run-llama/llama_index — run-llama/llama_index 7.5 -2025-03-20
CVE-2024-58103 Square Wire 安全漏洞 — Wire 5.8 Medium2025-03-16
CVE-2024-8176 Libexpat: expat: improper restriction of xml entity expansion depth in libexpat 7.5 High2025-03-14
CVE-2024-58102 Datalust Seq 安全漏洞 — Seq 5.7 Medium2025-03-11
CVE-2025-1492 Uncontrolled Recursion in Wireshark — Wireshark 7.8 High2025-02-20
CVE-2024-57257 DENX Software Engineering Das U-Boot 安全漏洞 — U-Boot 2.0 Low2025-02-18
CVE-2024-54731 CPDF 安全漏洞 — CPDF 4.0 Medium2025-01-08

Vulnerabilities classified as CWE-674 (未经控制的递归) represent 147 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.