Weakness reference
CWE-834

Excessive Iteration

Excessive Iteration occurs when code performs a loop or recursive operation without properly limiting how many times it runs. An attacker can exploit this to…

01Summary

Excessive Iteration occurs when code performs a loop or recursive operation without properly limiting how many times it runs. An attacker can exploit this to force the application to consume excessive CPU, memory, or other resources, causing performance degradation or a complete denial of service. This weakness is particularly dangerous in web applications and APIs where user input can influence loop bounds.

02How It Happens

The vulnerability arises when a loop's termination condition depends on user-controlled input or external data without validation. Common scenarios include:

- A loop that iterates over user-supplied data without checking its size first - Recursive functions that process nested structures without depth limits - Pagination or batch processing that allows unbounded page/batch sizes - String operations (splitting, searching, replacing) on untrusted input without length checks - Database queries that fetch all matching records without a LIMIT clause

The root cause is the absence of a guard that enforces a reasonable upper bound on iterations before the loop begins.

03Real-World Impact

An attacker can craft a request that triggers millions of iterations, consuming CPU cycles and memory until the application becomes unresponsive. In shared hosting environments, this can affect other users' applications. APIs may be exploited to exhaust rate-limit budgets or trigger cascading failures in dependent services. The impact ranges from temporary slowness to complete service unavailability.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import json

def process_records(user_input):
    data = json.loads(user_input)
    results = []
    for record in data['items']:  # No limit on array size
        results.append(record['value'] * 2)
    return results

# Attacker sends: {"items": [1, 2, 3, ...]} with millions of items

Why it's vulnerable:
The loop iterates over every item in the user-supplied array without checking its length first. A malicious request with a massive array will cause excessive CPU and memory consumption.

Fixed pattern
import json

MAX_ITEMS = 1000

def process_records(user_input):
    data = json.loads(user_input)
    items = data.get('items', [])
    
    if len(items) > MAX_ITEMS:
        raise ValueError(f"Too many items; maximum is {MAX_ITEMS}")
    
    results = []
    for record in items:
        results.append(record['value'] * 2)
    return results
Vulnerable pattern
<?php
function fetch_user_posts($user_id, $limit) {
    global $wpdb;
    // $limit comes directly from user input
    $query = $wpdb->prepare(
        "SELECT * FROM posts WHERE user_id = %d LIMIT %d",
        $user_id,
        $limit
    );
    return $wpdb->get_results($query);
}

// Attacker passes limit = 999999999
?>

Why it's vulnerable:
The LIMIT value is not validated, allowing an attacker to request millions of rows. The database will attempt to fetch and return an enormous result set, exhausting memory and CPU.

Fixed pattern
<?php
define('MAX_LIMIT', 100);

function fetch_user_posts($user_id, $limit) {
    global $wpdb;
    
    $limit = intval($limit);
    if ($limit <= 0 || $limit > MAX_LIMIT) {
        $limit = MAX_LIMIT;
    }
    
    $query = $wpdb->prepare(
        "SELECT * FROM posts WHERE user_id = %d LIMIT %d",
        $user_id,
        $limit
    );
    return $wpdb->get_results($query);
}
?>

05Prevention Checklist

Define and enforce a maximum iteration count or data size limit before any loop begins.
Validate user-supplied parameters that influence loop bounds (array sizes, page counts, batch sizes, recursion depth).
Use built-in language or framework limits where available (e.g., max_input_vars in PHP, request size limits in web servers).
Implement timeouts on long-running operations to prevent indefinite hangs.
Log and alert on requests that approach or exceed configured limits.
Test with intentionally large inputs to verify that limits are enforced and the application fails gracefully.

06Signs You May Already Be Affected

Monitor application logs for requests with unusually large parameters (array sizes, page numbers, batch sizes). Check CPU and memory usage patterns for unexplained spikes correlated with specific API endpoints or user actions. Review database slow-query logs for queries with extremely high LIMIT values or result set sizes.

07Related Recent Vulnerabilities