The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
View on MITREResources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.
In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path.
Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
Increase the stack size.
No detection method information available for this CWE.
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return.
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return.
Self-referencing pointers create infinite loop and resultant stack exhaustion.
View DetailsJavascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
View DetailsAn attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
View DetailsUSB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.
View DetailsNo relationship information available for this CWE.
CWE-674: Uncontrolled Recursion is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
If exploited, CWE-674 (Uncontrolled Recursion) it can compromise Availability and Confidentiality, leading to outcomes such as DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) and Read Application Data.
Recommended mitigations for CWE-674 include: Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. Increase the stack size.
CWE-674 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-674, including CVE-2007-1285, CVE-2007-3409, CVE-2016-10707, CVE-2016-3627 and CVE-2019-15118. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-674 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.