CWE WEAKNESSES / CWE-674
CWE-674
Uncontrolled Recursion
Class
What it is
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Impact
| Availability | DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) |
| Confidentiality | Read Application Data |
Mitigations
- [Implementation] Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
- [Implementation] Increase the stack size.
Real-world CVE examples
- CVE-2007-1285 — Deeply nested arrays trigger stack exhaustion.
- CVE-2007-3409 — Self-referencing pointers create infinite loop and resultant stack exhaustion.
- CVE-2016-10707 — Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
- CVE-2016-3627 — An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
- CVE-2019-15118 — USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.
Related weaknesses
Test & detect
Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.
Source: MITRE CWE. View on cwe.mitre.org →