Evaluate: Don’t recurse on untrusted input #514
Description
Unless we got lucky, we are likely affected by the same problem that Java and Python fixed:
https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/
CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
Somebody could start by adding a test with the known malicious input, e.g. like shown in protocolbuffers/protobuf@a037f28