In the XML world, there was a famous vulnerability discovered by Amit Klein back in 2002 which used recursion in DTD's (Document Type Definitions) in order to create a Denial-of-Service attack on an XML parser. The attack involved a cleverly crafted DTD which was designed to expand greatly in memory when parsed, using recursion, earning it the name "XML Bomb".
The bomb was discovered, then defused by a couple of patches issued by IBM and Microsoft. So, problem solved, right?
it cropped up again last week ...[snip]...Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation, Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them. ...[snip]... Some XML libraries are still naively consuming DTDs and falling victim to recursion attacks.
The vulnerability surfaces in situations where your app accepts and parses XML without blocking inline DTDs. For example, a request to a SOAP web service, or an API that accepts XML as an input parameter.