Denial of Service using recursions: not even Rust is going to save you — Alexis Challande
Date : 03 juin 2026 à 17:00 — 15 min.
Recursive functions are a fundamental programming pattern for processing nested data structures. However, recursion on untrusted input introduces a frequently overlooked vulnerability: attackers can trigger stack exhaustion to cause Denial of Service (DoS) attacks. This vulnerable pattern affects diverse programming languages, including memory-safe languages like Rust. This paper is two-fold. First, we document the journey of building an effective CodeQL query detecting recursive functions, including the challenges and iterations required to make it work in practice. Second, we apply the query to real-world codebases and present analyses of vulnerabilities discovered in major open source projects.