Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-674 Classe Brouillon
Uncontrolled Recursion
This vulnerability occurs when an application fails to limit how deeply a function can call itself. Without proper controls, this uncontrolled recursion can exhaust system resources like memory or…
Définition
What is CWE-674?
This vulnerability occurs when an application fails to limit how deeply a function can call itself. Without proper controls, this uncontrolled recursion can exhaust system resources like memory or stack space, leading to crashes or denial-of-service.
Uncontrolled recursion happens when a recursive function lacks a proper termination condition or depth limit. This allows it to run indefinitely or until it consumes all available stack memory, causing a stack overflow. Common triggers include processing deeply nested user input (like XML/JSON), complex graph traversals, or mathematical sequences without safety checks. Developers should always implement a maximum recursion depth or convert recursive logic to iterative loops for critical operations.
Detecting these flaws manually in a large codebase is challenging, as recursion paths can be complex. While SAST tools can identify the risky pattern, Plexicus uses AI to not only flag the issue but also generate specific, safe code fixes—such as adding depth counters or suggesting iterative alternatives—saving significant manual review and remediation time.
Impact réel
Real-world CVEs caused by CWE-674
-
Deeply nested arrays trigger stack exhaustion.
-
Self-referencing pointers create infinite loop and resultant stack exhaustion.
-
Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
-
An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
-
USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
Identifier un chemin de code qui traite des entrées non fiables sans validation.
- 2
Élaborer une charge utile qui exploite le comportement non sécurisé — injection, traversal, débordement ou abus de logique.
- 3
Délivrer la charge utile via une requête normale et observer la réaction de l'application.
- 4
Itérer jusqu'à ce que la réponse divulgue des données, exécute le code de l'attaquant ou élève les privilèges.
Exemple de code vulnérable
Vulnerable C
In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.
void do_something_recursive (int flg)
{
```
... // Do some real work here, but the value of flg is unmodified
if (flg) { do_something_recursive (flg); } // flg is never modified so it is always TRUE - this call will continue until the stack explodes
}
int flag = 1; // Set to TRUE
do_something_recursive (flag); Exemple de code sécurisé
Secure C
Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return.
void do_something_recursive (int flg)
{
```
... // Do some real work here
// Modify value of flg on done condition
if (flg) { do_something_recursive (flg); } // returns when flg changes to 0
}
int flag = 1; // Set to TRUE
do_something_recursive (flag); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-674
- Implementation Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.
- Implementation Increase the stack size.
Signaux de détection
How to detect CWE-674
Plexicus détecte automatiquement CWE-674 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-674 ?
Quelle est la gravité de CWE-674 ?
Quels langages ou plateformes sont affectés par CWE-674 ?
Comment puis-je prévenir CWE-674 ?
Comment Plexicus détecte et corrige CWE-674 ?
Où puis-je en savoir plus sur CWE-674 ?
Frequently asked questions
Qu'est-ce que CWE-674 ?
This vulnerability occurs when an application fails to limit how deeply a function can call itself. Without proper controls, this uncontrolled recursion can exhaust system resources like memory or stack space, leading to crashes or denial-of-service.
Quelle est la gravité de CWE-674 ?
MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.
Quels langages ou plateformes sont affectés par CWE-674 ?
MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.
Comment puis-je prévenir CWE-674 ?
Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action. Increase the stack size.
Comment Plexicus détecte et corrige CWE-674 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-674 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-674 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/674.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-674
CWE-834 Parent
Excessive Iteration
This vulnerability occurs when a program runs a loop too many times because it lacks proper limits on its iterations.
CWE-1322 Frère
Use of Blocking Code in Single-threaded, Non-blocking Context
This vulnerability occurs when an application designed to be single-threaded and non-blocking, for performance and scalability,…
CWE-835 Frère
Loop with Unreachable Exit Condition ('Infinite Loop')
An infinite loop occurs when a program's iteration logic contains an exit condition that can never be satisfied, causing the loop to run…
CWE-776 Enfant
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
This vulnerability occurs when an XML parser allows Document Type Definitions (DTDs) to contain recursively defined entities without…
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.