mutated × unstructured — blows up live on input you didn't expect

Unbounded Input → Quadratic Blowup

An accumulating loop with no cap on input size turns a linear scan into O(n²) — fine in dev, fatal on real volume.

01the recipe

In the wild

compound offor-Loop Control FlowCWE-834Unconstrained InputsCWE-1284 Bad QuantitycompoundCWE-400 Resource Exhaustion CWE-407 Quadratic Complexity

example.py

# SMELL: O(n^2) over an input whose size nobody bounded.
# (for-loop control flow x unconstrained inputs)
seen = []
for item in payload:            # payload size is caller-controlled
    if item not in seen:        # 'in' on a list is O(n) each pass
        seen.append(item)       # whole loop is O(n^2): 100k items -> 10^10 ops
# fine on the dev's 50-row sample; the request times out / OOMs in prod.

# RIGHT: bound the input, and pick the right data structure.
if len(payload) > MAX_ITEMS:
    raise ValueError("payload too large")
seen = set(payload)             # O(n) de-dup, memory capped

A linear scan inside the loop makes the whole pass quadratic; with no cap on input size, an input two orders of magnitude past the test data turns milliseconds into minutes. The failure -- a timeout or OOM kill -- is first seen on real volume.

// observed

unbounded: 100k-row input -> request times out, worker OOM-killed
bounded:   oversize input rejected; set lookup stays O(n)

02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.