GHSA-W239-58X2-Q8P5 go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...

go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth

The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...

Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)

Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...

GHSA-F5V8-V6Q3-Q4H6 Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)

Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...

AZL-72727 CVE-2025-68156 affecting package azl-otel-collector 0.127.0-1

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including flatten, min, max, mean, and median, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation...

CVE-2025-68156

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including flatten, min, max, mean, and median, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation...

Query Depth Restriction Bypass

@escape.tech/graphql-armor-max-depth is vulnerable to query depth restriction bypass. The vulnerability is due to the ignoreIntrospection option being enabled by default, which allows an attacker to bypass the max-depth restriction by naming a query or fragment schema...

Allocation Of Resources Without Limits

@escape.tech/graphql-armor-max-depth is vulnerable to Allocation Of Resources Without Limits. The vulnerability is due to improper introspection handling because when ignoreIntrospection is enabled the default, an attacker can name a query/fragment schema to evade max-depth checks and craft...

GHSA-224P-V68G-5G8F GraphQL Armor Max-Depth Plugin Bypass via fragment caching

Summary A query depth restriction using the max-depth can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details In the countDepth function, we have the following code that calculates the depth of a used fragment: typescript...

@cedarjs/api-server (>=0.0.4 <=9.0.0-canary.1784), @cedarjs/cli (>=0.0.4 <=9.0.0-canary.1784) +49 more potentially affected by unknown CVE via @escape.tech/graphql-armor-max-depth (>=2.0.0 <=2.4.1)

@escape.tech/graphql-armor-max-depth NPM version =2.0.0, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.9.1-next.19, =0.0.4, =0.0.4, =0.0.2, =2.0.0, =2.0.6, =2.2.2, =2.19.6 and more Source cves: unknown CVE Source advisory: SNYK:JS-ESCAPETECHGRAPHQLARMORMAXDEPTH-12219956...

GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation

Summary A query depth restriction using the max-depth property can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details At the start of the countDepth function, we have the following check for the ignoreIntrospection option...

GHSA-HMFR-RX46-4JX2 GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation

Summary A query depth restriction using the max-depth property can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details At the start of the countDepth function, we have the following check for the ignoreIntrospection option...

@cedarjs/api-server (>=0.0.4 <=9.0.0-canary.1784), @cedarjs/cli (>=0.0.4 <=9.0.0-canary.1784) +49 more potentially affected by unknown CVE via @escape.tech/graphql-armor-max-depth (>=2.0.0 <=2.4.1)

@escape.tech/graphql-armor-max-depth NPM version =2.0.0, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.0.4, =0.9.1-next.19, =0.0.4, =0.0.4, =0.0.2, =2.0.0, =2.0.6, =2.2.2, =2.19.6 and more Source cves: unknown CVE Source advisory: SNYK:JS-ESCAPETECHGRAPHQLARMORMAXDEPTH-12219686...

Uncontrolled Recursion

Overview llama-index-readers-web is a llama-index readers web integration Affected versions of this package are vulnerable to Uncontrolled Recursion due to improper handling of the maxdepth parameter in the getarticleurls function. An attacker can exhaust system resources and crash the applicatio...

LlamaIndex 资源管理错误漏洞

LlamaIndex is a data framework for LLM applications in the LlamaIndex open source. A resource management error vulnerability exists in LlamaIndex version 0.12.15, which stems from an improper implementation of the maxdepth parameter and could lead to a denial of service attack...

SUSE CVE-2023-38264

The IBM SDK, Java Technology Edition's Object Request Broker ORB 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578...

UBUNTU-CVE-2022-21708

graphql-go is a GraphQL server with a focus on ease of use. In versions prior to 1.3.0 there exists a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL...

PT-2022-15055 · Unknown +1 · Graphql-Go +1

Name of the Vulnerable Software and Affected Versions: graphql-go versions prior to 1.3.0 Description: The issue is a DoS vulnerability due to a bug in the library that allows an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handle...

PT-2021-8147

Name of the Vulnerable Software and Affected Versions Newtonsoft.Json versions prior to 13.0.1 Description The issue is related to a mishandling of exceptional conditions vulnerability in the Newtonsoft.Json library. Crafted data passed to the JsonConvert.DeserializeObject method may trigger a...

http-sitemap-generator NSE Script

Spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document. Script Arguments http-sitemap-generator.withindomain only spider URLs...