Finding Critical Flaws in Secure Systems

Low-effort denial of service with recursion

Using a simple CodeQL query, our team discovered that maliciously crafted inputs can crash systems that process user input recursively - a practice we found surprisingly common even among security-conscious projects like ElasticSearch, OpenSearch, and Google's Protocol Buffers. Our white paper covers:

  • Why recursive processing of user input is a widespread security risk, even in sophisticated codebases
  • How we discovered multiple CVEs in major projects using a simple CodeQL query
  • Practical guidance on identifying and eliminating recursive vulnerabilities in your systems
Whitepaper Preview