CWE-674: Uncontrolled Recursion

Description

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Potential Impact

Availability

DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Confidentiality

Read Application Data

Demonstrative Examples

In this example a mistake exists in the code where the exit condition contained in flg is never called. This results in the function calling itself over and over again until the stack is exhausted.

Bad

void do_something_recursive (int flg)
	    {
	    
	      ... // Do some real work here, but the value of flg is unmodified
	      if (flg) { do_something_recursive (flg); }    // flg is never modified so it is always TRUE - this call will continue until the stack explodes
	    
	    }
	    int flag = 1; // Set to TRUE
	    do_something_recursive (flag);

Note that the only difference between the Good and Bad examples is that the recursion flag will change value and cause the recursive call to return.

Good

void do_something_recursive (int flg)
	    {
	    
	      ... // Do some real work here
	      // Modify value of flg on done condition
	      if (flg) { do_something_recursive (flg); }    // returns when flg changes to 0
	    
	    }
	    int flag = 1; // Set to TRUE
	    do_something_recursive (flag);

Mitigations & Prevention

Implementation Moderate

Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Implementation Limited

Increase the stack size.

Detection Methods

Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2007-1285	Deeply nested arrays trigger stack exhaustion.
CVE-2007-3409	Self-referencing pointers create infinite loop and resultant stack exhaustion.
CVE-2016-10707	Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
CVE-2016-3627	An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
CVE-2019-15118	USB-audio driver's descriptor code parsing allows unlimited recursion leading to stack exhaustion.

Taxonomy Mappings

OWASP Top Ten 2004: A9 — Denial of Service
Software Fault Patterns: SFP13 — Unrestricted Consumption
OMG ASCRM: ASCRM-CWE-674 —

Frequently Asked Questions

What is CWE-674?

CWE-674 (Uncontrolled Recursion) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

How can CWE-674 be exploited?

Attackers can exploit CWE-674 (Uncontrolled Recursion) to dos: resource consumption (cpu), dos: resource consumption (memory). This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-674?

Key mitigations include: Ensure that an end condition will be reached under all logic conditions. The end condition may include checking against the depth of recursion and exiting with an error if the recursion goes too deep

What is the severity of CWE-674?

CWE-674 is classified as a Class-level weakness (High abstraction). It has been observed in 5 real-world CVEs.