Total
312 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-36395 | 1 Moodle | 1 Moodle | 2025-03-07 | N/A | 7.5 HIGH |
| In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service. | |||||
| CVE-2020-36691 | 1 Linux | 1 Linux Kernel | 2025-02-21 | N/A | 5.5 MEDIUM |
| An issue was discovered in the Linux kernel before 5.8. lib/nlattr.c allows attackers to cause a denial of service (unbounded recursion) via a nested Netlink policy with a back reference. | |||||
| CVE-2023-1370 | 1 Json-smart Project | 1 Json-smart | 2025-02-13 | N/A | 7.5 HIGH |
| [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. | |||||
| CVE-2024-57699 | 2025-02-06 | N/A | 7.5 HIGH | ||
| A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370. | |||||
| CVE-2023-31893 | 1 Telefonica | 2 Brasil Vivo Play, Brasil Vivo Play Firmware | 2025-01-31 | N/A | 7.5 HIGH |
| Telefnica Brasil Vivo Play (IPTV) Firmware: 2023.04.04.01.06.15 is vulnerable to Denial of Service (DoS) via DNS Recursion. | |||||
| CVE-2024-3247 | 1 Xpdfreader | 1 Xpdf | 2025-01-29 | N/A | 2.9 LOW |
| In Xpdf 4.05 (and earlier), a PDF object loop in an object stream leads to infinite recursion and a stack overflow. | |||||
| CVE-2024-3248 | 1 Xpdfreader | 1 Xpdf | 2025-01-29 | N/A | 2.9 LOW |
| In Xpdf 4.05 (and earlier), a PDF object loop in the attachments leads to infinite recursion and a stack overflow. | |||||
| CVE-2024-4568 | 1 Xpdfreader | 1 Xpdf | 2025-01-29 | N/A | 2.9 LOW |
| In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources leads to infinite recursion and a stack overflow. | |||||
| CVE-2023-2663 | 1 Xpdfreader | 1 Xpdf | 2025-01-24 | N/A | 2.9 LOW |
| In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leads to infinite recursion and a stack overflow. | |||||
| CVE-2024-54731 | 2025-01-08 | N/A | 4.0 MEDIUM | ||
| cpdf through 2.8 allows stack consumption via a crafted PDF document. | |||||
| CVE-2024-49363 | 2024-12-18 | N/A | 7.4 HIGH | ||
| Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified distributed denial-of-service via a maliciously crafted note. FileServerService.prototype.proxyHandler did not check incoming requests are not coming from another proxy server. An attacker can execute an amplified denial-of-service by sending a nested proxy request to the server and end the request with a malicious redirect back to another nested proxy request. Leading to unbounded recursion until the original request is timed out. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. Users unable to upgrade may configure the reverse proxy to block requests to the proxy with an empty User-Agent header or one containing Misskey/. An attacker can not effectively modify the User-Agent header without making another request to the server. | |||||
| CVE-2024-5971 | 2024-11-21 | N/A | 7.5 HIGH | ||
| A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios. | |||||
| CVE-2024-37973 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-11-21 | N/A | 8.8 HIGH |
| Secure Boot Security Feature Bypass Vulnerability | |||||
| CVE-2024-34158 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |||||
| CVE-2024-2965 | 1 Langchain | 1 Langchain | 2024-11-21 | N/A | 4.7 MEDIUM |
| A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality. | |||||
| CVE-2024-28243 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop, despite setting `maxExpand` to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will be unable to use the site due to memory overflow, tying up the main thread, or stack overflow. Upgrade to KaTeX v0.16.10 to remove this vulnerability. | |||||
| CVE-2024-25112 | 1 Exiv2 | 1 Exiv2 | 2024-11-21 | N/A | 5.5 MEDIUM |
| Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted video file. This bug is fixed in version v0.28.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-0210 | 1 Wireshark | 1 Wireshark | 2024-11-21 | N/A | 7.8 HIGH |
| Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | |||||
| CVE-2023-52079 | 1 Kriszyp | 1 Msgpackr | 2024-11-21 | N/A | 6.8 MEDIUM |
| msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue. | |||||
| CVE-2023-51803 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| LinuxServer.io Heimdall before 2.5.7 does not prevent use of icons that have non-image data such as the "<?php ?>" substring. | |||||