24 matches found
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception through the link validation. An attacker can cause the application to crash or become unresponsive by submitting deeply nested input that triggers an unhandled RangeError exception. This is only exploitable if input...
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception through the link validation. An attacker can cause the application to crash or become unresponsive by submitting deeply nested input that triggers an unhandled RangeError exception. This is only exploitable if input...
OESA-2026-2487 jq security update
jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fixes: jq is ...
Uncontrolled Recursion
Overview sqlfluff is a The SQL Linter for Humans Affected versions of this package are vulnerable to Uncontrolled Recursion through the ParseContext and parser recursion in the SQL parser components. An attacker can exhaust parser stack depth and force repeated parse failures by supplying deeply...
CVE-2026-41257
A flaw was found in jq, a command line JSON processor. The memory allocation size is calculated using a signed integer that can overflow when processing deeply nested generator forks. This integer overflow allows an attacker who can supply a sufficiently nested input to influence the memory...
CVE-2026-43896
A flaw was found in jq, a command line JSON processor. The jvobjectmergerecursive function, reachable via the operator when both operands are objects, does not have a depth limit when processing nested objects. This missing depth limit allows an attacker who can supply a sufficiently nested input...
CVE-2026-40612
A flaw was found in jq, a command line JSON processor. The jvcontains function does not have a depth limit when processing nested arrays or objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application...
PT-2026-39942
Issuing an ICMP ping via the net ping shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the resulting echo reply are...
CVE-2026-40612
jq is a command-line JSON processor. In 1.8.1 and earlier, jvcontains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure built programmatically with reduce, since the JSON parser caps at depth 10000, the C stack is exhausted...
CVE-2026-34211
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions...
PT-2026-30273
Summary The @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions e.g., 2000 nested parentheses, causing a RangeError:...
CVE-2026-33532
Summary: CVE-2026-33532 affects the yaml JavaScript library. The vulnerability is in the compose/resolve phase of the parser, where a recursive call path without a depth bound can cause a RangeError: Maximum call stack size exceeded when parsing YAML input (typical payload ~2–10 KB). This can lea...
Allocation of Resources Without Limits or Throttling
Overview cbor2 is a CBOR deserializer with extensive tag support Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding of CBOR payloads. An attacker can cause the application to crash by submitting deeply nested input that trigger...
Uncontrolled Recursion
Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Uncontrolled Recursion via the JSONTaggedDecoder.decodeobj function in jsontags.py. An attacker can cause the application to crash by submittin...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the convcontentmodel function when parsing an inline document type definition containing a deeply nested content model. An attacker can cause a stack overflow and crash the process by providing specially crafte...
Uncontrolled Recursion
Overview xgrammar is an Efficient, Flexible and Portable Structured Generation Affected versions of this package are vulnerable to Uncontrolled Recursion through the handling of multi-level nested grammar rules. An attacker can cause a segmentation fault and crash the application by submitting...
Allocation of Resources Without Limits or Throttling
Overview sqlatypemodel is a Typed JSON fields for SQLAlchemy with automatic mutation tracking Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to uncontrolled recursion when processing deeply nested JSON-like structures. An attacker can...
TencentOS Server 4: jackson-core (TSSA-2025:0585)
The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0585 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...
GHSA-HVQ2-WF92-J4F3 express-xss-sanitizer has an unbounded recursion depth
Security Advisory: express-xss-sanitizer Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion depth during sanitization of nested objects. Affected Versions - All versions prior to 2.0.1 Patched Versions - 2.0.1 and later Description The sanitize...
SUSE CVE-2025-52999
jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly...