Corgea LogoCorgea Security Hub

CWE-674: Uncontrolled Recursion

Learn about CWE-674 (Uncontrolled Recursion), its security impact, exploitation methods, and prevention guidelines.

What is Uncontrolled Recursion?

• Overview: Uncontrolled recursion occurs when a function calls itself without a proper exit condition or depth limitation, potentially leading to excessive resource consumption like memory or stack overflow.

• Exploitation Methods:

  • Attackers can exploit this by triggering functions with inputs that cause deep or infinite recursion, leading to denial of service.
  • Common attack patterns include feeding unexpected input that bypasses base cases or termination conditions.

• Security Impact:

  • Direct consequences include application crashes or system instability due to stack overflow.
  • Potential cascading effects might include service downtime or unavailability and resource exhaustion affecting other processes.
  • Business impact can be significant, leading to loss of customer trust, financial loss, and damage to brand reputation.

• Prevention Guidelines:

  • Specific code-level fixes include implementing and verifying proper base cases and limiting recursion depth.
  • Security best practices involve thorough input validation and using iterative solutions where possible.
  • Recommended tools and frameworks include static analysis tools to detect recursion issues and languages or frameworks with built-in recursion limits.

Corgea can automatically detect and fix Uncontrolled Recursion in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

function factorial(n) {
    // This function calculates the factorial of a number using recursion.
    // It does not control the recursion depth, leading to potential stack overflow.
    if (n < 0) {
        throw new Error("Negative numbers are not allowed"); // Handle invalid input
    }
    if (n <= 1) {
        return 1;
    } else {
        return n * factorial(n - 1);  // Recursive call without control
    }
}

How to fix Uncontrolled Recursion?

To mitigate uncontrolled recursion in JavaScript, you can introduce a termination condition based on recursion depth. This involves adding an additional parameter to track the recursion depth and impose a limit. Additionally, consider using iterative solutions for problems prone to deep recursion to avoid hitting JavaScript's limited stack size.

Fixed Code Example

function factorial(n, maxDepth = 1000, currentDepth = 0) {
    // This function calculates the factorial of a number using recursion.
    // It includes a check to prevent excessive recursion depth.
    if (n < 0) {
        throw new Error("Negative numbers are not allowed"); // Handle invalid input
    }
    if (currentDepth > maxDepth) {
        throw new Error("Maximum recursion depth exceeded");  // Throw error if depth exceeded
    }
    if (n <= 1) {
        return 1;
    } else {
        return n * factorial(n - 1, maxDepth, currentDepth + 1);  // Pass current depth
    }
}

These examples demonstrate the importance of controlling recursion depth to prevent resource exhaustion and ensure the stability and reliability of software systems. By adding a depth check, you prevent the stack overflow that can occur with uncontrolled recursion. Additionally, handling negative inputs ensures the function behaves correctly and safely.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-674: Uncontrolled Recursion and get remediation guidance

Start for free and no credit card needed.