Total
347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-52761 | 1 Linux | 1 Linux Kernel | 2025-09-23 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
riscv: VMAP_STACK overflow detection thread-safe
commit 31da94c25aea ("riscv: add VMAP_STACK overflow detection") added
support for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to
`shadow_stack` temporarily before switching finally to per-cpu
`overflow_stack`.
If two CPUs/harts are racing and end up in over flowing kernel stack, one
or both will end up corrupting each other state because `shadow_stack` is
not per- ...
Show More |
|||||
| CVE-2025-53864 | 2025-09-23 | N/A | 5.8 MEDIUM | ||
|
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
|
|||||
| CVE-2024-1899 | 1 Showdownjs | 1 Showdown | 2025-09-18 | N/A | 5.3 MEDIUM |
|
An issue in the anchors subparser of Showdownjs versions <= 2.1.0 could allow a remote attacker to cause denial of service conditions.
|
|||||
| CVE-2024-27454 | 1 Ijl | 1 Orjson | 2025-09-18 | N/A | 7.5 HIGH |
|
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
|
|||||
| CVE-2025-59364 | 2025-09-15 | N/A | 5.3 MEDIUM | ||
|
The express-xss-sanitizer (aka Express XSS Sanitizer) package through 2.0.0 for Node.js has an unbounded recursion depth in sanitize in lib/sanitize.js for a JSON request body.
|
|||||
| CVE-2025-6710 | 1 Mongodb | 1 Mongodb | 2025-09-15 | N/A | 7.5 HIGH |
|
MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5.
The same issue affects MongoDB Server v6.0 versions prior to 6 ...
Show More |
|||||
| CVE-2025-57809 | 1 Mlc-ai | 1 Xgrammar | 2025-09-09 | N/A | 7.5 HIGH |
|
XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21.
|
|||||
| CVE-2025-32387 | 1 Helm | 1 Helm | 2025-09-03 | N/A | 6.5 MEDIUM |
|
Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.17.3.
|
|||||
| CVE-2024-28244 | 1 Katex | 1 Katex | 2025-09-02 | N/A | 6.5 MEDIUM |
|
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. KaTeX supports an option named maxExpand which aims to prevent infinitely recursive macros from consuming all available memory and/or triggering a stack overflow error. Unfortunately, support for "Unicode (sub|super)script character ...
Show More |
|||||
| CVE-2025-5302 | 2025-08-25 | N/A | 8.6 HIGH | ||
|
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38.
|
|||||
| CVE-2025-4565 | 1 Google | 1 Protobuf-python | 2025-08-14 | N/A | 5.3 MEDIUM |
|
Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901
|
|||||
| CVE-2025-20025 | 2025-08-13 | N/A | 4.4 MEDIUM | ||
|
Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable denial of service via local access.
|
|||||
| CVE-2025-24302 | 2025-08-13 | N/A | 6.7 MEDIUM | ||
|
Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2025-23325 | 3 Linux, Microsoft, Nvidia | 3 Linux Kernel, Windows, Triton Inference Server | 2025-08-12 | N/A | 7.5 HIGH |
|
NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause uncontrolled recursion through a specially crafted input. A successful exploit of this vulnerability might lead to denial of service.
|
|||||
| CVE-2025-8732 | 2025-08-08 | 1.7 LOW | 3.3 LOW | ||
|
A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and ...
Show More |
|||||
| CVE-2024-58264 | 1 Cosmwasm | 1 Serde-json-wasm | 2025-08-06 | N/A | 3.2 LOW |
|
The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.
|
|||||
| CVE-2025-5472 | 1 Llamaindex | 1 Llamaindex | 2025-07-30 | N/A | 6.5 MEDIUM |
|
The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts ...
Show More |
|||||
| CVE-2024-20311 | 1 Cisco | 2 Ios, Ios Xe | 2025-07-30 | N/A | 8.6 HIGH |
|
A vulnerability in the Locator ID Separation Protocol (LISP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload.
This vulnerability is due to the incorrect handling of LISP packets. An attacker could exploit this vulnerability by sending a crafted LISP packet to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) conditi ...
Show More |
|||||
| CVE-2025-53605 | 2025-07-08 | N/A | 5.9 MEDIUM | ||
|
The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input.
|
|||||
| CVE-2021-42717 | 5 Debian, F5, Oracle and 2 more | 6 Debian Linux, Nginx Modsecurity Waf, Http Server and 3 more | 2025-07-03 | 5.0 MEDIUM | 7.5 HIGH |
|
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
|
|||||
| CVE-2022-25313 | 5 Debian, Fedoraproject, Libexpat Project and 2 more | 6 Debian Linux, Fedora, Libexpat and 3 more | 2025-05-30 | 4.3 MEDIUM | 6.5 MEDIUM |
|
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
|
|||||
| CVE-2022-41966 | 1 Xstream | 1 Xstream | 2025-05-23 | N/A | 8.2 HIGH |
|
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException inste ...
Show More |
|||||
| CVE-2025-30193 | 2025-05-21 | N/A | 7.5 HIGH | ||
|
In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service.
The remedy is: upgrade to the patched 1.9.10 version.
A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPer ...
Show More |
|||||
| CVE-2024-29904 | 1 Codeigniter | 1 Codeigniter | 2025-05-07 | N/A | 7.5 HIGH |
|
CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later.
|
|||||
| CVE-2022-46405 | 1 Joinmastodon | 1 Mastodon | 2025-04-24 | N/A | 7.5 HIGH |
|
Mastodon through 4.0.2 allows attackers to cause a denial of service (large Sidekiq pull queue) by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, such that there is uncontrolled recursion of attacker-generated messages.
|
|||||
| CVE-2017-8537 | 1 Microsoft | 13 Endpoint Protection, Exchange Server, Forefront Endpoint Protection and 10 more | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to denial of service. aka "Microsoft Malware Protection Engine Denial of Service Vulnerability", a different vulnerabil ...
Show More |
|||||
| CVE-2017-8536 | 1 Microsoft | 13 Endpoint Protection, Exchange Server, Forefront Endpoint Protection and 10 more | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to denial of service. aka "Microsoft Malware Protection Engine Denial of Service Vulnerability", a different vulnerabil ...
Show More |
|||||
| CVE-2017-11554 | 1 Libsass | 1 Libsass | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.
|
|||||
| CVE-2017-16419 | 1 Adobe | 4 Acrobat, Acrobat Dc, Acrobat Reader and 1 more | 2025-04-20 | 4.3 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The issue is a stack exhaustion problem within the JavaScript API, where the computation does not correctly control the amount of recursion that can happen with respect to system resources.
|
|||||
| CVE-2017-9617 | 1 Wireshark | 1 Wireshark | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion (uncontrolled recursion) in the dissect_daap_one_tag function in epan/dissectors/packet-daap.c in the DAAP dissector.
|
|||||
| CVE-2017-0692 | 1 Google | 1 Android | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36725407.
|
|||||
| CVE-2017-9766 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c.
|
|||||
| CVE-2017-11164 | 1 Pcre | 1 Pcre | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
|
In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
|
|||||
| CVE-2017-5839 | 1 Gstreamer Project | 1 Gstreamer | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-media.c in gst-plugins-base in GStreamer before 1.10.3 does not properly limit recursion, which allows remote attackers to cause a denial of service (stack overflow and crash) via vectors involving nested WAVEFORMATEX.
|
|||||
| CVE-2017-11556 | 1 Libsass | 1 Libsass | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.
|
|||||
| CVE-2017-9304 | 1 Virustotal | 1 Yara | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
libyara/re.c in the regexp module in YARA 3.5.0 allows remote attackers to cause a denial of service (stack consumption) via a crafted rule that is mishandled in the _yr_re_emit function.
|
|||||
| CVE-2017-9616 | 1 Wireshark | 1 Wireshark | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion (uncontrolled recursion) in the dissect_mp4_box function in epan/dissectors/file-mp4.c.
|
|||||
| CVE-2017-0886 | 1 Nextcloud | 1 Nextcloud Server | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.
|
|||||
| CVE-2017-7515 | 1 Freedesktop | 1 Poppler | 2025-04-20 | 4.3 MEDIUM | 5.5 MEDIUM |
|
poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential denial-of-service.
|
|||||
| CVE-2017-10910 | 1 Mqtt.js Project | 1 Mqtt.js | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
|
MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may lead to an attacker causing a denial-of-service condition.
|
|||||