CWE-674 (Uncontrolled Recursion) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-49941 | 2026-06-04 | Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges… |
| CVE-2026-47706 | 2026-06-04 | Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detectio… |
| CVE-2026-47320 | 2026-06-04 | Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads. This issue affects rlottie: befor… |
| CVE-2026-47306 | 2026-06-04 | Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945. |
| CVE-2026-8936 | 2026-06-02 | Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event.… |
| CVE-2026-40989 | 2026-06-01 | Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function… |
| CVE-2026-44740 | 2026-06-01 | Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loop… |
| CVE-2026-42328 | 2026-05-27 | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on I… |
| CVE-2026-6936 | 2026-05-27 | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit thi… |
| CVE-2026-44844 | 2026-05-26 | eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses… |
| CVE-2026-7453 | 2026-05-26 | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can cause a Stack Exhaustion vulnerability, leading to a denial-of-service condition. |
| CVE-2026-9358 | 2026-05-24 | A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to… |
| CVE-2026-47317 | 2026-05-19 | Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. |
| CVE-2026-47309 | 2026-05-19 | Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. |
| CVE-2026-6811 | 2026-05-14 | Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is … |
| CVE-2026-41935 | 2026-05-14 | Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recu… |
| CVE-2026-6479 | 2026-05-14 | Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled… |
| CVE-2026-45205 | 2026-05-14 | Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue a… |
| CVE-2026-45740 | 2026-05-13 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.f… |
| CVE-2026-44289 | 2026-05-13 | protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected bot… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Related_Attack_Patterns |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Relationships |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Related_Attack_Patterns |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Related_Attack_Patterns, Relationships, Type |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Related_Attack_Patterns, Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Demonstrative_Examples, Description, Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Potential_Mitigations |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Demonstrative_Examples |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Potential_Mitigations |