Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5433 vulnerabilities reference this CWE, most recent first.

GHSA-9FXQ-H6QR-QGHC

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-20T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to exhaust available CPU resources.",
  "id": "GHSA-9fxq-h6qr-qghc",
  "modified": "2022-05-13T01:25:49Z",
  "published": "2022-05-13T01:25:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4358-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9G9P-9GW9-JX7F

Vulnerability from github – Published: 2026-01-27 19:18 – Updated: 2026-01-27 19:18
VLAI
Summary
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
Details

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "15.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6.0-canary.0"
            },
            {
              "fixed": "16.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T19:18:25Z",
    "nvd_published_at": "2026-01-26T22:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.\n\nStrongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.",
  "id": "GHSA-9g9p-9gw9-jx7f",
  "modified": "2026-01-27T19:18:25Z",
  "published": "2026-01-27T19:18:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59471"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.1.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration"
}

GHSA-9GCV-G5Q9-F633

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-06 00:00
VLAI
Details

It has been discovered that redhat-certification does not properly limit the number of recursive definitions of entities in XML documents while parsing the status of a host. A remote attacker could use this vulnerability to consume all the memory of the server and cause a Denial of Service. This flaw affects redhat-certification version 7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "It has been discovered that redhat-certification does not properly limit the number of recursive definitions of entities in XML documents while parsing the status of a host. A remote attacker could use this vulnerability to consume all the memory of the server and cause a Denial of Service. This flaw affects redhat-certification version 7.",
  "id": "GHSA-9gcv-g5q9-f633",
  "modified": "2022-08-06T00:00:44Z",
  "published": "2022-05-24T19:03:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10868"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-10868"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593776"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GF2-JHM2-H977

Vulnerability from github – Published: 2022-06-07 00:00 – Updated: 2022-06-14 00:00
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group.",
  "id": "GHSA-9gf2-jhm2-h977",
  "modified": "2022-06-14T00:00:28Z",
  "published": "2022-06-07T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1821"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1821.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/353730"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GJJ-6GJ7-C4WJ

Vulnerability from github – Published: 2025-08-21 20:11 – Updated: 2025-08-22 15:01
VLAI
Summary
Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
Details

Dear Maintainers, I am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation.

Summary

The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive.

Details

  • Endpoint: flash/addcrypted2
  • affected file: https://github.com/pyload/pyload/blob/develop/src/pyload/webui/app/blueprints/cnl_blueprint.py#L123 https://github.com/pyload/pyload/blob/develop/src/pyload/core/utils/misc.py#L42

affected code

@bp.route("/flash/addcrypted2", methods=["POST"], endpoint="addcrypted2")
@local_check
def addcrypted2():
    package = flask.request.form.get(
        "package", flask.request.form.get("source", flask.request.form.get("referer"))
    )
    crypted = flask.request.form["crypted"]
    jk = flask.request.form["jk"]
    pack_password = flask.request.form.get("passwords")

    crypted = standard_b64decode(unquote(crypted.replace(" ", "+")))
    jk = eval_js(f"{jk} f()")

def eval_js(script, es6=False):
    if sys.version_info < (3, 12):
        return (js2py.eval_js6 if es6 else js2py.eval_js)(script)
    else:
        return dukpy.evaljs(script)

PoC

download pyload and run locally, send the following request - PoC

curl -X POST "http://localhost:8000/flash/addcrypted2" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "crypted=SGVsbG8gd29ybGQ=" \
  -d "passwords=pyload" \
  -d "jk=const start = Date.now();%0Awhile (Date.now() - start < 30_000) {} //"

The 30_000 can be modified to any large value.

Impact

System resources are exhausted, causing services to be temporarily interrupted or stopped, making them inaccessible to normal users.

Use the following command to check CPU usage

top -pid $(pgrep -f "pyload.__main__") 

or

top -pid $(pgrep -f "pyload") 

The CPU is fully occupied image

web-ui unresponsive image

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev92"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T20:11:52Z",
    "nvd_published_at": "2025-08-21T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "Dear Maintainers,\nI am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation.\n\n### Summary\nThe `jk` parameter is received in pyLoad CNL Blueprint. Due to the lack of `jk` parameter verification, the `jk` parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive.\n\n### Details\n- Endpoint: flash/addcrypted2\n- affected file: https://github.com/pyload/pyload/blob/develop/src/pyload/webui/app/blueprints/cnl_blueprint.py#L123\nhttps://github.com/pyload/pyload/blob/develop/src/pyload/core/utils/misc.py#L42\t\n\naffected code\n```python\n@bp.route(\"/flash/addcrypted2\", methods=[\"POST\"], endpoint=\"addcrypted2\")\n@local_check\ndef addcrypted2():\n    package = flask.request.form.get(\n        \"package\", flask.request.form.get(\"source\", flask.request.form.get(\"referer\"))\n    )\n    crypted = flask.request.form[\"crypted\"]\n    jk = flask.request.form[\"jk\"]\n    pack_password = flask.request.form.get(\"passwords\")\n\n    crypted = standard_b64decode(unquote(crypted.replace(\" \", \"+\")))\n    jk = eval_js(f\"{jk} f()\")\n\n```\n\n```python\ndef eval_js(script, es6=False):\n    if sys.version_info \u003c (3, 12):\n        return (js2py.eval_js6 if es6 else js2py.eval_js)(script)\n    else:\n        return dukpy.evaljs(script)\n```\n\n### PoC\ndownload pyload and run locally, send the following request\n- PoC\n```shell\ncurl -X POST \"http://localhost:8000/flash/addcrypted2\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"crypted=SGVsbG8gd29ybGQ=\" \\\n  -d \"passwords=pyload\" \\\n  -d \"jk=const start = Date.now();%0Awhile (Date.now() - start \u003c 30_000) {} //\"\n```\nThe 30_000 can be modified to any large value.\n\n\n### Impact\nSystem resources are exhausted, causing services to be temporarily interrupted or stopped, making them inaccessible to normal users.\n\nUse the following command to check CPU usage\n```shell\ntop -pid $(pgrep -f \"pyload.__main__\") \n```\nor\n```shell\ntop -pid $(pgrep -f \"pyload\") \n```\n\nThe CPU is fully occupied\n\u003cimg width=\"1209\" height=\"134\" alt=\"image\" src=\"https://github.com/user-attachments/assets/5f9338fe-90c8-4e99-bd8e-a5b5c5a81a6e\" /\u003e\n\nweb-ui unresponsive\n\u003cimg width=\"1209\" height=\"496\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7100cdb6-e4d5-4d0c-a138-51b08a7b1fbd\" /\u003e",
  "id": "GHSA-9gjj-6gj7-c4wj",
  "modified": "2025-08-22T15:01:48Z",
  "published": "2025-08-21T20:11:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-9gjj-6gj7-c4wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57751"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs"
}

GHSA-9GRW-5H83-65P3

Vulnerability from github – Published: 2026-04-21 21:31 – Updated: 2026-04-21 21:31
VLAI
Details

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-21T21:16:29Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).",
  "id": "GHSA-9grw-5h83-65p3",
  "modified": "2026-04-21T21:31:25Z",
  "published": "2026-04-21T21:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22021"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H4X-2MMW-9488

Vulnerability from github – Published: 2024-08-06 21:30 – Updated: 2024-08-06 21:30
VLAI
Details

Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Soft AP daemon accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected Access Point.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T20:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Soft AP daemon accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected Access Point.",
  "id": "GHSA-9h4x-2mmw-9488",
  "modified": "2024-08-06T21:30:47Z",
  "published": "2024-08-06T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42399"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us\u0026docLocale=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H5V-PFQQ-X599

Vulnerability from github – Published: 2026-06-15 20:15 – Updated: 2026-06-15 20:15
VLAI
Summary
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Details

Summary

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:

/ ([\w ]+) miui\/v?\d/i

Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.

PoC

const { UAParser } = require('ua-parser-js');

const headers = {
  'sec-ch-ua-platform': '"Android"',
  'sec-ch-ua-mobile': '?1',
  'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};

const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;

if (ms > 100) {
  console.log('Potential ReDoS');
}

Impact

This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any server-side application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is availability only, there is no confidentiality or integrity impact.

Affected Versions

ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.

Patches

A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.

References

Credits

Thanks to @sondt99, who first reported the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ua-parser-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:15:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615):\n\n```js\n/ ([\\w ]+) miui\\/v?\\d/i\n```\n\nUnlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing.\n\n### PoC\n\n```js\nconst { UAParser } = require(\u0027ua-parser-js\u0027);\n\nconst headers = {\n  \u0027sec-ch-ua-platform\u0027: \u0027\"Android\"\u0027,\n  \u0027sec-ch-ua-mobile\u0027: \u0027?1\u0027,\n  \u0027sec-ch-ua-model\u0027: \u0027\"\u0027 + \u0027A \u0027.repeat(25000) + \u0027\"\u0027\n};\n\nconst t0 = process.hrtime.bigint();\nUAParser(headers).withClientHints();\nconst ms = Number(process.hrtime.bigint() - t0) / 1e6;\n\nif (ms \u003e 100) {\n  console.log(\u0027Potential ReDoS\u0027);\n}\n```\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.\n\n### Affected Versions\n\n`ua-parser-js` versions `\u003e=2.0.1, \u003c=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`.\n\n### Patches\n\nA patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later.\n\n### References\n\n- [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits\n\nThanks to [@sondt99](https://github.com/sondt99), who first reported the issue.",
  "id": "GHSA-9h5v-pfqq-x599",
  "modified": "2026-06-15T20:15:02Z",
  "published": "2026-06-15T20:15:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faisalman/ua-parser-js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`"
}

GHSA-9H88-W7CR-78CW

Vulnerability from github – Published: 2022-03-08 00:00 – Updated: 2022-03-19 00:01
VLAI
Details

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. IBM X-Force ID: 212950.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-07T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service.  IBM X-Force ID:  212950.",
  "id": "GHSA-9h88-w7cr-78cw",
  "modified": "2022-03-19T00:01:40Z",
  "published": "2022-03-08T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38988"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/212950"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6561281"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HJM-GM4C-VQQV

Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2026-04-02 21:32
VLAI
Details

The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T23:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "The issue was addressed with improved memory handling. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, tvOS 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory.",
  "id": "GHSA-9hjm-gm4c-vqqv",
  "modified": "2026-04-02T21:32:12Z",
  "published": "2025-04-01T00:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24190"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122371"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122372"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122373"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122374"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122375"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122376"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122377"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122378"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/10"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/11"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/13"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/4"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/5"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/8"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Apr/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.