CWE-674: Uncontrolled Recursion

ClassDraft

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-674: Uncontrolled Recursion?+

CWE-674: Uncontrolled Recursion is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

What are the security consequences of Uncontrolled Recursion?+

If exploited, CWE-674 (Uncontrolled Recursion) it can compromise Availability and Confidentiality, leading to outcomes such as DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) and Read Application Data.

How do you prevent or mitigate Uncontrolled Recursion?+

Recommended mitigations for CWE-674 include: Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. Increase the stack size.

Which programming languages are affected by Uncontrolled Recursion?+

CWE-674 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Uncontrolled Recursion?+

MITRE documents real CVEs mapped to CWE-674, including CVE-2007-1285, CVE-2007-3409, CVE-2016-10707, CVE-2016-3627 and CVE-2019-15118. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-674 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More