Monthly
Denial of service in the Elixir/Erlang Hex package protobuf (>= 0.8.0, < 0.16.1) allows an unauthenticated remote attacker to crash any service that decodes untrusted protobuf messages into a self-referential or cyclic message type. Because Protobuf.Decoder performs unbounded, non-tail recursion over embedded message fields, a small request body (a few KB to a few MB) can nest a field hundreds of thousands to millions of levels deep, forcing the BEAM to retain one stack/heap frame per level until it exhausts memory and pins a scheduler; a handful of concurrent requests take the node offline. This is a request-amplification DoS with a publicly available proof-of-concept, but no CISA KEV listing and no evidence of active exploitation; no CVSS or EPSS score is provided in the source data.
Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.
Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.
Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. No public exploit has been identified and EPSS sits at 0.19% (8th percentile), but the attack is conceptually trivial given the published patch diff and OSS-Security advisory.
Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. No public exploit is identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with an availability-only bug rather than a code-execution risk.
Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access.
Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.
Stack exhaustion in p11-kit's RPC server crashes the daemon and any dependent cryptographic services on affected Red Hat systems. The vulnerability exists in the PKCS#11 RPC message parsing layer, where two attribute-handling functions form a mutually-recursive call chain with no depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes - allowing any local user or process with socket access to crash the server by sending a single crafted request. No public exploit or active exploitation has been identified at time of analysis, and impact is limited to availability (denial of service) with no confidentiality or integrity consequence.
Denial of service in the Elixir/Erlang Hex package protobuf (>= 0.8.0, < 0.16.1) allows an unauthenticated remote attacker to crash any service that decodes untrusted protobuf messages into a self-referential or cyclic message type. Because Protobuf.Decoder performs unbounded, non-tail recursion over embedded message fields, a small request body (a few KB to a few MB) can nest a field hundreds of thousands to millions of levels deep, forcing the BEAM to retain one stack/heap frame per level until it exhausts memory and pins a scheduler; a handful of concurrent requests take the node offline. This is a request-amplification DoS with a publicly available proof-of-concept, but no CISA KEV listing and no evidence of active exploitation; no CVSS or EPSS score is provided in the source data.
Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.
Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.
Memory exhaustion via uncontrolled recursion in Mojo::JSON's pure-Perl decoder allows network-accessible callers to cause denial of service in Mojolicious applications. All versions before 9.47 are affected when the pure-Perl decode path is active - specifically when Cpanel::JSON::XS is absent or MOJO_NO_JSON_XS=1 is set. No public exploit has been identified and EPSS sits at 0.19% (8th percentile), but the attack is conceptually trivial given the published patch diff and OSS-Security advisory.
Denial of service in pdfcpu (the Go PDF processing library and CLI) through v0.11.1 lets a remote attacker crash any application that parses attacker-supplied PDFs by submitting a document with deeply nested objects. The parser follows nested arrays recursively via ParseObjectContext() and parseArray() with no depth cap, so a crafted file exhausts the goroutine stack and aborts the process. No public exploit is identified at time of analysis and EPSS is low (0.17%, 7th percentile), consistent with an availability-only bug rather than a code-execution risk.
Denial of service in Elasticsearch allows any authenticated user to crash an affected cluster node by submitting a specially crafted query that triggers uncontrolled recursion during query processing. Excessive resource consumption during request handling can render the targeted node unavailable, disrupting search and indexing operations for all dependent applications. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the low privilege requirement makes it accessible to any user with query access.
Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Stack exhaustion in the mdex and mdex_native Elixir Markdown libraries causes entire-node denial of service when processing attacker-controlled deeply nested Markdown. Two mutually recursive Rust NIF functions, ex_document_to_comrak_ast and comrak_ast_to_ex_document in document.rs, traverse the Comrak AST without enforcing a maximum nesting depth; a document with thousands of nested block quotes drives unbounded recursion that overflows the native C stack. Because the resulting SIGSEGV is raised inside a NIF, the Erlang runtime cannot catch it - the OS process hosting the BEAM terminates, killing every Elixir and Erlang process on the node. No public exploit has been identified at time of analysis, but the attack requires only crafted Markdown input with no authentication.
Stack exhaustion in p11-kit's RPC server crashes the daemon and any dependent cryptographic services on affected Red Hat systems. The vulnerability exists in the PKCS#11 RPC message parsing layer, where two attribute-handling functions form a mutually-recursive call chain with no depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes - allowing any local user or process with socket access to crash the server by sending a single crafted request. No public exploit or active exploitation has been identified at time of analysis, and impact is limited to availability (denial of service) with no confidentiality or integrity consequence.