CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.4)  

CWE-674: Uncontrolled Recursion

 
Uncontrolled Recursion
Weakness ID: 674 (Weakness Base)Status: Draft
+ Description

Description Summary

The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack.
+ Alternate Terms
Stack Exhaustion
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Availability

Technical Impact: DoS: resource consumption (CPU); DoS: resource consumption (memory)

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality

Technical Impact: Read application data

In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path.

+ Observed Examples
ReferenceDescription
CVE-2007-1285Deeply nested arrays trigger stack exhaustion.
CVE-2007-3409Self-referencing pointers create infinite loop and resultant stack exhaustion.
+ Potential Mitigations

Phase: Implementation

Limit the number of recursive calls to a reasonable number.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ChildOfCategoryCategory730OWASP Top Ten 2004 Category A9 - Denial of Service
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfWeakness BaseWeakness Base834Excessive Iteration
Research Concepts (primary)1000
ChildOfCategoryCategory892SFP Cluster: Resource Management
Software Fault Pattern (SFP) Clusters (primary)888
ParentOfWeakness VariantWeakness Variant776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Development Concepts (primary)699
Research Concepts (primary)1000
MemberOfViewView884CWE Cross-section
CWE Cross-section (primary)884
+ Affected Resources
  • CPU
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
OWASP Top Ten 2004A9CWE_More_SpecificDenial of Service
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2009-03-10CWE Content TeamMITREInternal
updated Related_Attack_Patterns
2011-03-29CWE Content TeamMITREInternal
updated Relationships
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2013-02-21CWE Content TeamMITREInternal
updated Relationships
Back to top
Page Last Updated: February 20, 2013
 

CWE is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2013, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us