Excessive Iteration occurs when code performs a loop or recursive operation without properly limiting how many times it runs. An attacker can exploit this to…
Excessive Iteration occurs when code performs a loop or recursive operation without properly limiting how many times it runs. An attacker can exploit this to force the application to consume excessive CPU, memory, or other resources, causing performance degradation or a complete denial of service. This weakness is particularly dangerous in web applications and APIs where user input can influence loop bounds.
02How It Happens
The vulnerability arises when a loop's termination condition depends on user-controlled input or external data without validation. Common scenarios include:
- A loop that iterates over user-supplied data without checking its size first
- Recursive functions that process nested structures without depth limits
- Pagination or batch processing that allows unbounded page/batch sizes
- String operations (splitting, searching, replacing) on untrusted input without length checks
- Database queries that fetch all matching records without a LIMIT clause
The root cause is the absence of a guard that enforces a reasonable upper bound on iterations before the loop begins.
03Real-World Impact
An attacker can craft a request that triggers millions of iterations, consuming CPU cycles and memory until the application becomes unresponsive. In shared hosting environments, this can affect other users' applications. APIs may be exploited to exhaust rate-limit budgets or trigger cascading failures in dependent services. The impact ranges from temporary slowness to complete service unavailability.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import json
def process_records(user_input):
data = json.loads(user_input)
results = []
for record in data['items']: # No limit on array size
results.append(record['value'] * 2)
return results
# Attacker sends: {"items": [1, 2, 3, ...]} with millions of items
Why it's vulnerable: The loop iterates over every item in the user-supplied array without checking its length first. A malicious request with a massive array will cause excessive CPU and memory consumption.
Fixed pattern
import json
MAX_ITEMS = 1000
def process_records(user_input):
data = json.loads(user_input)
items = data.get('items', [])
if len(items) > MAX_ITEMS:
raise ValueError(f"Too many items; maximum is {MAX_ITEMS}")
results = []
for record in items:
results.append(record['value'] * 2)
return results
Vulnerable pattern
<?php
function fetch_user_posts($user_id, $limit) {
global $wpdb;
// $limit comes directly from user input
$query = $wpdb->prepare(
"SELECT * FROM posts WHERE user_id = %d LIMIT %d",
$user_id,
$limit
);
return $wpdb->get_results($query);
}
// Attacker passes limit = 999999999
?>
Why it's vulnerable: The LIMIT value is not validated, allowing an attacker to request millions of rows. The database will attempt to fetch and return an enormous result set, exhausting memory and CPU.
Fixed pattern
<?php
define('MAX_LIMIT', 100);
function fetch_user_posts($user_id, $limit) {
global $wpdb;
$limit = intval($limit);
if ($limit <= 0 || $limit > MAX_LIMIT) {
$limit = MAX_LIMIT;
}
$query = $wpdb->prepare(
"SELECT * FROM posts WHERE user_id = %d LIMIT %d",
$user_id,
$limit
);
return $wpdb->get_results($query);
}
?>
05Prevention Checklist
Define and enforce a maximum iteration count or data size limit before any loop begins.
Use built-in language or framework limits where available (e.g., max_input_vars in PHP, request size limits in web servers).
Implement timeouts on long-running operations to prevent indefinite hangs.
Log and alert on requests that approach or exceed configured limits.
Test with intentionally large inputs to verify that limits are enforced and the application fails gracefully.
06Signs You May Already Be Affected
Monitor application logs for requests with unusually large parameters (array sizes, page numbers, batch sizes). Check CPU and memory usage patterns for unexplained spikes correlated with specific API endpoints or user actions. Review database slow-query logs for queries with extremely high LIMIT values or result set sizes.