From find-cve-agent
Detects recursion DoS vulnerabilities like stack overflow and OOM in recursive parsers, tree walkers, serializers without depth limits. Audits JS/TS/Python/Go code via grep patterns and nested input tests.
npx claudepluginhub byamb4/find-cve-agentThis skill uses the workspace's default tool permissions.
Audit parsers, serializers, tree walkers, deep clone/merge functions, and any recursive function that processes user-controlled data structures with unbounded nesting depth.
Detects ReDoS vulnerabilities via catastrophic backtracking in regex patterns on user-controlled input. Audits JS/TS/Python/Ruby/PHP/Java code and measures growth rates.
Detects infinite loop risks in PHP code: missing break conditions, incorrect loop variables, unbounded recursion, circular references, event loops, unlimited retries. Useful for hangs or high CPU.
Audits Go code for DoS vulnerabilities like goroutine leaks, channel deadlocks, unbounded allocations, io.ReadAll misuse, panic handling, and resource exhaustion.
Share bugs, ideas, or general feedback.
Audit parsers, serializers, tree walkers, deep clone/merge functions, and any recursive function that processes user-controlled data structures with unbounded nesting depth.
| Crash Type | Severity | Catchable? | Process Dies? |
|---|---|---|---|
| OOM (heap exhaustion) | HIGH 7.5 | NO | YES -- uncatchable, process killed |
| RangeError (stack overflow) | MEDIUM 5.3-6.5 | YES (try/catch) | Only if uncaught |
OOM crash = process dies regardless of error handling. This is HIGH severity. RangeError = catchable in try/catch. Only HIGH if the library does NOT catch it.
grep -rn "function.*recurse\|function.*recursive\|function.*walk\|function.*traverse" .
grep -rn "function.*serialize\|function.*stringify\|function.*clone\|function.*deep" .
grep -rn "function.*parse\|function.*process\|function.*visit\|function.*transform" .
Look for functions that call themselves:
# Find function definitions and then check if they self-reference
grep -rn "function\s\+\w\+" . --include="*.js" | head -50
# Then for each function name, check if it calls itself
grep -rn "maxDepth\|max_depth\|depthLimit\|depth_limit\|MAX_DEPTH" .
grep -rn "depth\s*>\|depth\s*>=\|depth\s*<\|depth\s*<=" .
grep -rn "recursion.*limit\|stack.*limit\|nesting.*limit" .
Create deeply nested input matching the data format:
// JSON-like nesting
let nested = "x";
for (let i = 0; i < 100000; i++) {
nested = { a: nested };
}
// String-based nesting
let nested = "a";
for (let i = 0; i < 100000; i++) {
nested = "[" + nested + "]";
}
// Run in subprocess to avoid crashing main process
const { execSync } = require('child_process');
try {
execSync('node -e "const pkg = require('./'); pkg.parse(payload)"', {
timeout: 10000,
maxBuffer: 1024
});
} catch (e) {
if (e.status === null) {
console.log('[+] OOM: process killed (HIGH severity)');
} else {
console.log('[!] RangeError: catchable (MEDIUM severity)');
}
}
function parse(node) {
if (node.children) {
return node.children.map(child => parse(child)); // No depth limit
}
return node.value;
}
function serialize(obj) {
if (typeof obj === 'object' && obj !== null) {
return '{' + Object.keys(obj).map(k => k + ':' + serialize(obj[k])).join(',') + '}';
}
return String(obj);
}
function deepClone(obj) {
if (typeof obj !== 'object' || obj === null) return obj;
const clone = Array.isArray(obj) ? [] : {};
for (const key in obj) {
clone[key] = deepClone(obj[key]); // Unbounded recursion
}
return clone;
}
Some recursive functions do not detect circular references:
const a = {}; a.self = a;
deepClone(a); // Infinite recursion -> stack overflow