Uncontrolled Recursion Affecting scorecard package, versions <5.5.0-r3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Uncontrolled Recursion vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-WOLFILATEST-SCORECARD-16752893
- published19 May 2026
- disclosed1 Jun 2026
Introduced: 19 May 2026
NewCVE-2026-44740 (opens in a new tab)How to fix?
Upgrade Wolfi scorecard to version 5.5.0-r3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream scorecard package and not the scorecard package as distributed by Wolfi.
See How to fix? for Wolfi relevant fixed versions and status.
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.