目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-834 过度迭代 类漏洞列表 22

CWE-834 过度迭代 类弱点 22 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-834 属于资源消耗型漏洞,指程序执行迭代或循环时未充分限制执行次数。攻击者通常通过构造特定输入诱导循环过度执行,从而耗尽 CPU 或内存资源,导致服务拒绝或系统崩溃。开发者应避免此类问题,需在代码中设置合理的迭代上限,对输入数据进行严格校验,并实施超时机制,确保循环在可控范围内终止,防止资源被恶意滥用。

MITRE CWE 官方描述
CWE:CWE-834 Excessive Iteration(过度迭代) 英文:The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. 译文:该产品执行迭代或循环时,未对循环的执行次数进行充分限制。 If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration. 译文:如果攻击者能够影响迭代过程,此弱点可能导致攻击者消耗过多的资源(如 CPU 或内存)。在许多情况下,循环无需无限执行即可因资源消耗过多而对产品或其宿主系统造成不利影响;这取决于每次迭代所消耗的资源量。
常见影响 (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification, DoS: Crash, Exit, or Restart
Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The product's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to ex…
代码示例 (2)
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg) { ... // Do some real work here, but the value of flg is unmodified if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes } int flag = 1; // Set to TRUE do_something_recursive (flag);
Bad · C
void do_something_recursive (int flg) { ... // Do some real work here // Modify value of flg on done condition if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0 } int flag = 1; // Set to TRUE do_something_recursive (flag);
Good · C
For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
public boolean isReorderNeeded(String bookISBN, int rateSold) { boolean isReorder = false; int minimumCount = 10; int days = 0; // get inventory count for book int inventoryCount = inventory.getIventoryCount(bookISBN); // find number of days until inventory count reaches minimum while (inventoryCount > minimumCount) { inventoryCount = inventoryCount - rateSold; days++; } // if number of days within reorder timeframe // set reorder return boolean to true if (days > 0 && days < 5) { isReorder = true; } return isReorder; }
Bad · Java
public boolean isReorderNeeded(String bookISBN, int rateSold) { ... // validate rateSold variable if (rateSold < 1) { return isReorder; } ... }
Good · Java
CVE ID标题CVSS风险等级Published
CVE-2026-41313 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2026-04-22
CVE-2026-41168 pypdf 安全漏洞 — pypdf 4.3AIMediumAI2026-04-22
CVE-2026-27025 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2026-02-20
CVE-2025-67726 Tornado 安全漏洞 — tornado 7.5 High2025-12-12
CVE-2025-62707 pypdf 安全漏洞 — pypdf 6.5AIMediumAI2025-10-22
CVE-2025-6714 MongoDB Server 安全漏洞 — MongoDB Server 7.5 High2025-07-07
CVE-2024-4227 Genivia gSOAP 安全漏洞 — gSOAP 7.5 High2025-01-15
CVE-2024-8049 Progress Telerik Document Processing Libraries 安全漏洞 — Telerik Document Processing Libraries 6.5 Medium2024-11-13
CVE-2023-5632 Eclipse Mosquitto 安全漏洞 — Mosquitto 7.5 High2023-10-18
CVE-2023-33953 gRPC 安全漏洞 — gRPC 7.5 High2023-08-09
CVE-2023-26513 Apache Sling 安全漏洞 — Apache Sling Resource Merger 7.5 High2023-03-20
CVE-2021-39204 Caleb Doxsey pomerium 安全漏洞 — pomerium 7.5 High2021-09-09
CVE-2021-32778 EARCLINK ESPCMS SQL注入漏洞 — envoy 5.8 Medium2021-08-24
CVE-2021-35515 Apache Commons Compress 安全漏洞 — Apache Commons Compress 7.5 -2021-07-13
CVE-2021-31812 Apache PDFBox 安全漏洞 — Apache PDFBox 5.5 -2021-06-12
CVE-2021-27807 Apache PDFBox 安全漏洞 — Apache PDFBox 5.5 -2021-03-19
CVE-2018-20805 Mongodb Server 输入验证错误漏洞 — MongoDB Server 6.5 Medium2020-11-23
CVE-2019-3565 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3564 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3559 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3558 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3552 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06

CWE-834(过度迭代) 是常见的弱点类别,本平台收录该类弱点关联的 22 条 CVE 漏洞。