Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-834 (过度迭代) — Vulnerability Class 22

22 vulnerabilities classified as CWE-834 (过度迭代). AI Chinese analysis included.

CWE-834, Excessive Iteration, is a software weakness where a program executes a loop without adequately restricting the number of iterations. This flaw typically arises when input values directly control loop counters, allowing attackers to manipulate the iteration count. By supplying excessively large or maliciously crafted inputs, adversaries can force the application into prolonged execution, leading to severe resource exhaustion. This exploitation consumes critical CPU cycles and memory, potentially causing denial-of-service conditions that degrade system performance or crash the host entirely. To mitigate this risk, developers must implement strict input validation and enforce upper bounds on loop counters. Additionally, incorporating timeout mechanisms and monitoring resource usage during execution ensures that runaway loops are terminated before they can impact system stability, thereby preserving availability and integrity.

MITRE CWE Description
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. If the iteration can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. In many cases, a loop does not need to be infinite in order to cause enough resource consumption to adversely affect the product or its host system; it depends on the amount of resources consumed per iteration.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Amplification, DoS: Crash, Exit, or Restart
Excessive looping will cause unexpected consumption of resources, such as CPU cycles or memory. The product's operation may slow down, or cause a long time to respond. If limited resources such as memory are consumed for each iteration, the loop may eventually cause a crash or program exit due to ex…
Examples (2)
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg) { ... // Do some real work here, but the value of flg is unmodified if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes } int flag = 1; // Set to TRUE do_something_recursive (flag);
Bad · C
void do_something_recursive (int flg) { ... // Do some real work here // Modify value of flg on done condition if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0 } int flag = 1; // Set to TRUE do_something_recursive (flag);
Good · C
For this example, the method isReorderNeeded is part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.
public boolean isReorderNeeded(String bookISBN, int rateSold) { boolean isReorder = false; int minimumCount = 10; int days = 0; // get inventory count for book int inventoryCount = inventory.getIventoryCount(bookISBN); // find number of days until inventory count reaches minimum while (inventoryCount > minimumCount) { inventoryCount = inventoryCount - rateSold; days++; } // if number of days within reorder timeframe // set reorder return boolean to true if (days > 0 && days < 5) { isReorder = true; } return isReorder; }
Bad · Java
public boolean isReorderNeeded(String bookISBN, int rateSold) { ... // validate rateSold variable if (rateSold < 1) { return isReorder; } ... }
Good · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-41313 pypdf: Possible long runtimes for wrong size values in incremental mode — pypdf 6.5AIMediumAI2026-04-22
CVE-2026-41168 pypdf has possible long runtimes for wrong size values in cross-reference and object streams — pypdf 4.3AIMediumAI2026-04-22
CVE-2026-27025 pypdf has possible long runtimes/large memory usage for large /ToUnicode streams — pypdf 6.5AIMediumAI2026-02-20
CVE-2025-67726 Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters — tornado 7.5 High2025-12-12
CVE-2025-62707 pypdf affected by possible infinite loop when reading DCT inline images without EOF marker — pypdf 6.5AIMediumAI2025-10-22
CVE-2025-6714 Incorrect Handling of incomplete data may prevent mongoS from Accepting New Connections — MongoDB Server 7.5 High2025-07-07
CVE-2024-4227 gSOAP: Vulnerable to specially crafted unencrypted SDC messages — gSOAP 7.5 High2025-01-15
CVE-2024-8049 Telerik Document Processing Improper Handling of Memory Resources — Telerik Document Processing Libraries 6.5 Medium2024-11-13
CVE-2023-5632 Unconditionally adding an event to the epoll causes excessive CPU consumption — Mosquitto 7.5 High2023-10-18
CVE-2023-33953 Denial-of-Service in gRPC — gRPC 7.5 High2023-08-09
CVE-2023-26513 Apache Sling Resource Merger: Requests to certain paths managed by the Apache Sling Resource Merger can lead to DoS — Apache Sling Resource Merger 7.5 High2023-03-20
CVE-2021-39204 Excessive CPU usage in Pomerium — pomerium 7.5 High2021-09-09
CVE-2021-32778 Excessive CPU utilization when closing HTTP/2 streams — envoy 5.8 Medium2021-08-24
CVE-2021-35515 Apache Commons Compress 1.6 to 1.20 denial of service vulnerability — Apache Commons Compress 7.5 -2021-07-13
CVE-2021-31812 A carefully crafted PDF file can trigger an infinite loop while loading the file — Apache PDFBox 5.5 -2021-06-12
CVE-2021-27807 A carefully crafted PDF file can trigger an infinite loop while loading the file — Apache PDFBox 5.5 -2021-03-19
CVE-2018-20805 Invariant with $elemMatch — MongoDB Server 6.5 Medium2020-11-23
CVE-2019-3565 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3564 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3559 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3558 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06
CVE-2019-3552 Facebook Thrift 输入验证错误漏洞 — Facebook Thrift 7.5 -2019-05-06

Vulnerabilities classified as CWE-834 (过度迭代) represent 22 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.