{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/recursion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["xmldom"],"_cs_severities":["medium"],"_cs_tags":["dos","xmldom","recursion","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003exmldom\u003c/code\u003e library is susceptible to a denial-of-service (DoS) vulnerability due to uncontrolled recursion in XML serialization. Seven recursive traversals within \u003ccode\u003elib/dom.js\u003c/code\u003e lack depth limits, causing a \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e and crashing the application when processing deeply nested XML documents. Publicly disclosed on 2026-04-06, the vulnerability impacts multiple functions, including \u003ccode\u003enormalize()\u003c/code\u003e, \u003ccode\u003eXMLSerializer.serializeToString()\u003c/code\u003e, and others related to DOM manipulation. This issue arises from the library\u0026rsquo;s pure-JavaScript recursive implementation of DOM operations, which exhausts the call stack. Exploitation requires no authentication or special options, affecting applications that process attacker-controlled XML using vulnerable \u003ccode\u003exmldom\u003c/code\u003e versions ( \u0026lt; 0.8.13, \u0026gt;= 0.9.0 and \u0026lt; 0.9.10, and \u0026lt;= 0.6.0).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XML document with deeply nested elements.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application receives and parses the crafted XML document using \u003ccode\u003eDOMParser.parseFromString()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application subsequently calls one of the affected DOM operations, such as \u003ccode\u003enormalize()\u003c/code\u003e, \u003ccode\u003eserializeToString()\u003c/code\u003e, \u003ccode\u003egetElementsByTagName()\u003c/code\u003e, or \u003ccode\u003ecloneNode(true)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe affected function initiates a recursive traversal of the deeply nested XML structure within \u003ccode\u003elib/dom.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEach level of nesting consumes a JavaScript call stack frame.\u003c/li\u003e\n\u003cli\u003eThe recursive calls continue until the JavaScript engine\u0026rsquo;s call stack is exhausted.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e exception is thrown.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to the uncaught exception, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in a denial-of-service condition. Any service parsing attacker-controlled XML with a vulnerable version of \u003ccode\u003exmldom\u003c/code\u003e can be crashed by a single crafted payload. This can lead to failed request processing. In deployments where uncaught exceptions terminate the worker or process, the impact can extend beyond a single request and disrupt service availability more broadly. Tests show that stack exhaustion occurs with nesting depths between 5,000 and 10,000 levels depending on the operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e to version \u0026gt;= 0.8.13 or \u0026gt;= 0.9.10 to remediate CVE-2026-41673.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider implementing input validation to limit the nesting depth of XML documents processed by applications using \u003ccode\u003exmldom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e exceptions originating from \u003ccode\u003elib/dom.js\u003c/code\u003e, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xmldom-dos/","summary":"The xmldom library is vulnerable to a denial-of-service (DoS) attack due to uncontrolled recursion in XML serialization leading to application crashes.","title":"xmldom Uncontrolled Recursion DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40879"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["denial-of-service","nestjs","recursion","cve-2026-40879","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNestJS, a Node.js framework for server-side applications, is vulnerable to an uncontrolled recursion issue. Prior to version 11.1.19, a malicious actor could exploit CVE-2026-40879 by sending a crafted TCP frame containing numerous small, valid JSON messages to a vulnerable NestJS application. The \u003ccode\u003ehandleData()\u003c/code\u003e function recursively processes each message, causing the buffer to shrink with each call. This bypasses the \u003ccode\u003emaxBufferSize\u003c/code\u003e limit and leads to a call stack overflow. A payload as small as 47 KB is sufficient to trigger a \u003ccode\u003eRangeError\u003c/code\u003e and crash the application. This vulnerability allows for a denial-of-service attack. The vulnerability has been patched in NestJS version 11.1.19.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NestJS application running a version prior to 11.1.19.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a TCP packet containing multiple small, valid JSON messages.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted TCP packet to the vulnerable NestJS application.\u003c/li\u003e\n\u003cli\u003eThe NestJS application\u0026rsquo;s \u003ccode\u003ehandleData()\u003c/code\u003e function receives the TCP packet.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleData()\u003c/code\u003e function recursively processes each JSON message in the packet.\u003c/li\u003e\n\u003cli\u003eWith each recursive call, the buffer shrinks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emaxBufferSize\u003c/code\u003e is never reached because of the stack overflow.\u003c/li\u003e\n\u003cli\u003eThe call stack overflows, leading to a \u003ccode\u003eRangeError\u003c/code\u003e and application crash, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40879 leads to a denial-of-service condition. A single attacker can potentially bring down a vulnerable NestJS application with a relatively small payload of approximately 47KB. This can impact businesses relying on the affected NestJS application, leading to service disruptions and potential data loss. The vulnerability affects any application using NestJS versions before 11.1.19, making a large number of applications potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all NestJS applications to version 11.1.19 or later to patch CVE-2026-40879.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious NestJS TCP Payload\u003c/code\u003e to identify potentially malicious TCP traffic targeting NestJS applications.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for large TCP packets containing many small JSON messages, which may indicate an attempted exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-nest-recursion-dos/","summary":"NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.","title":"NestJS Uncontrolled Recursion Denial-of-Service Vulnerability (CVE-2026-40879)","url":"https://feed.craftedsignal.io/briefs/2026-04-nest-recursion-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Recursion","version":"https://jsonfeed.org/version/1.1"}