Uncontrolled Recursion
Weakness ID: 674 (Weakness Base)Status: Draft
+ Description

Description Summary

The product does not properly control the amount of recursion that takes place, which consumes excessive resources, such as allocated memory or the program stack.
+ Alternate Terms
Stack Exhaustion
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

+ Common Consequences
ScopeEffect
Availability

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality

In some cases, an application's interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP's memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application's installation path.

+ Observed Examples
ReferenceDescription
CVE-2007-1285Deeply nested arrays trigger stack exhaustion.
CVE-2007-3409Self-referencing pointers create infinite loop and resultant stack exhaustion.
+ Potential Mitigations

Limit the number of recursive calls to a reasonable number.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory361Time and State
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts (primary)1000
ChildOfCategoryCategory730OWASP Top Ten 2004 Category A9 - Denial of Service
Weaknesses in OWASP Top Ten (2004) (primary)711
+ Affected Resources
  • CPU
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
OWASP Top Ten 2004A9CWE More SpecificDenial of Service
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
82Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
99XML Parser Attack
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Related Attack Patterns