Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5428 vulnerabilities reference this CWE, most recent first.

GHSA-C2PJ-V37R-2P6H

Vulnerability from github – Published: 2023-06-26 15:48 – Updated: 2023-08-25 21:35
VLAI
Summary
Coraza has potential denial of service vulnerability
Details

Summary

Due to the misuse of log.Fatalf, the application using coraza crashed after receiving crafted requests from attackers.

Details

https://github.com/corazawaf/coraza/blob/82157f85f24c6107667bf0f686b71a72aafdf8a5/internal/bodyprocessors/multipart.go#L26-L29 The bodyprocessors of multipart uses log.Fatalf to handle errors from the mime.ParseMediaType, but log.Fatalf calls os.Exit directly after logging the error. https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291 This means that the application will immediately crash after receiving a malicious request that triggers an error in mime.ParseMediaType.

PoC

The server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server

After sending this request

POST / HTTP/1.1
Host: 127.0.0.1:8090
User-Agent: curl/8.1.2
Accept: */*
Content-Length: 199
Content-Type: multipart/form-data; boundary=------------------------5fa6351b877326a1; a=1; a=2
Connection: close

--------------------------5fa6351b877326a1
Content-Disposition: form-data; name="file"; filename="123"
Content-Type: application/octet-stream

123

--------------------------5fa6351b877326a1--

The server will crash immediately. The a=1; a=2 in Content-Type makes mime: duplicate parameter name error.

Impact

I believe the vulnerability was introduced by the following commit: https://github.com/corazawaf/coraza/commit/24af0c8cf4f10bab558740b595712be3b85493ec.

Mitigation

The error from mime.ParseMediaType should return directly.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/corazawaf/coraza/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/corazawaf/coraza/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "last_affected": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-26T15:48:33Z",
    "nvd_published_at": "2023-08-25T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nDue to the misuse of `log.Fatalf`, the application using coraza crashed after receiving crafted requests from attackers.\n\n### Details\n\nhttps://github.com/corazawaf/coraza/blob/82157f85f24c6107667bf0f686b71a72aafdf8a5/internal/bodyprocessors/multipart.go#L26-L29\nThe bodyprocessors of multipart uses `log.Fatalf` to handle errors from the `mime.ParseMediaType`, but `log.Fatalf` calls `os.Exit` directly after logging the error.\nhttps://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291\nThis means that the application will immediately crash after receiving a malicious request that triggers an error in `mime.ParseMediaType`.\n\n### PoC\n\nThe server can be demonstrated by https://github.com/corazawaf/coraza/tree/main/examples/http-server\n\nAfter sending this request\n```\nPOST / HTTP/1.1\nHost: 127.0.0.1:8090\nUser-Agent: curl/8.1.2\nAccept: */*\nContent-Length: 199\nContent-Type: multipart/form-data; boundary=------------------------5fa6351b877326a1; a=1; a=2\nConnection: close\n\n--------------------------5fa6351b877326a1\nContent-Disposition: form-data; name=\"file\"; filename=\"123\"\nContent-Type: application/octet-stream\n\n123\n\n--------------------------5fa6351b877326a1--\n\n```\nThe server will crash immediately. The `a=1; a=2` in `Content-Type` makes `mime: duplicate parameter name` error.\n\n### Impact\n\nI believe the vulnerability was introduced by the following commit: https://github.com/corazawaf/coraza/commit/24af0c8cf4f10bab558740b595712be3b85493ec.\n\n### Mitigation\n\nThe error from `mime.ParseMediaType` should return directly.",
  "id": "GHSA-c2pj-v37r-2p6h",
  "modified": "2023-08-25T21:35:14Z",
  "published": "2023-06-26T15:48:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/security/advisories/GHSA-c2pj-v37r-2p6h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza-caddy/issues/48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/commit/24af0c8cf4f10bab558740b595712be3b85493ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/commit/a5239ba3ce839e14d9b4f9486e1b4a403dcade8c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/commit/e1b119b83e12c64f0957e00e8cad45a1b5f012f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/corazawaf/coraza"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/blob/82157f85f24c6107667bf0f686b71a72aafdf8a5/internal/bodyprocessors/multipart.go#L26-L29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/corazawaf/coraza/releases/tag/v3.0.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/go/blob/a031f4ef83edc132d5f49382bfef491161de2476/src/log/log.go#L288-L291"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Coraza has potential denial of service vulnerability"
}

GHSA-C2Q6-QQHW-6GGR

Vulnerability from github – Published: 2026-07-09 00:31 – Updated: 2026-07-09 18:31
VLAI
Details

In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion (Denial of Service) vulnerability exists in its network processing loop.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-51535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T22:17:15Z",
    "severity": "HIGH"
  },
  "details": "In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion (Denial of Service) vulnerability exists in its network processing loop.",
  "id": "GHSA-c2q6-qqhw-6ggr",
  "modified": "2026-07-09T18:31:40Z",
  "published": "2026-07-09T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-51535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EIPStackGroup/OpENer/issues/562"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/MrAlaskan/bec306c51fec9f777b2599f5dea09dd1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2RX-5R8W-8XR2

Vulnerability from github – Published: 2026-06-08 19:02 – Updated: 2026-06-12 19:27
VLAI
Summary
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
Details

Summary

The default configuration of the Http3ConnectionHandler in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an OutOfMemoryError.

Details

Netty securely limits header sizes for older protocols. In HTTP/1.1, Netty strictly enforces an 8192-byte limit out-of-the-box via HttpObjectDecoder. For HTTP/2, while RFC 9113 specifies that SETTINGS_MAX_HEADER_LIST_SIZE defaults to unlimited, Netty securely overrides this RFC default by enforcing an 8192-byte limit (Http2CodecUtil.DEFAULT_HEADER_LIST_SIZE).

However, this secure-by-default configuration is missing in the HTTP/3 implementation. While Netty provides a mechanism to configure the maximum header field section size via Http3Settings, its out-of-the-box behaviour strictly follows RFC 9114's unlimited default.

Because many developers rely on the framework's default configurations and basic constructors, their applications are unknowingly left vulnerable. This nearly infinite default limit is passed into Http3FrameCodec#newFactory and stored as maxHeaderListSize inside Http3FrameCodec.

A bad actor can continuously send HTTP/3 headers within a connection, exploiting the insecure default configuration to consume server memory unconditionally until the application crashes with an OutOfMemoryError.

Impact

Denial of Service via memory exhaustion. All applications using Netty's HTTP/3 codec with its default configuration are impacted.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.14.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-http3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0.Final"
            },
            {
              "fixed": "4.2.15.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-08T19:02:16Z",
    "nvd_published_at": "2026-06-12T05:16:32Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`.\n\n### Details\nNetty securely limits header sizes for older protocols. In HTTP/1.1, Netty strictly enforces an `8192`-byte limit out-of-the-box via `HttpObjectDecoder`. For HTTP/2, while RFC 9113 specifies that `SETTINGS_MAX_HEADER_LIST_SIZE` defaults to `unlimited`, Netty securely overrides this RFC default by enforcing an `8192`-byte limit (`Http2CodecUtil.DEFAULT_HEADER_LIST_SIZE`).\n\nHowever, this secure-by-default configuration is missing in the HTTP/3 implementation. While Netty provides a mechanism to configure the maximum header field section size via `Http3Settings`, its out-of-the-box behaviour strictly follows RFC 9114\u0027s unlimited default.\n\nBecause many developers rely on the framework\u0027s default configurations and basic constructors, their applications are unknowingly left vulnerable. This nearly infinite default limit is passed into `Http3FrameCodec#newFactory` and stored as `maxHeaderListSize` inside `Http3FrameCodec`.\n\nA bad actor can continuously send HTTP/3 headers within a connection, exploiting the insecure default configuration to consume server memory unconditionally until the application crashes with an `OutOfMemoryError`.\n\n### Impact\nDenial of Service via memory exhaustion. All applications using Netty\u0027s HTTP/3 codec with its default configuration are impacted.",
  "id": "GHSA-c2rx-5r8w-8xr2",
  "modified": "2026-06-12T19:27:28Z",
  "published": "2026-06-08T19:02:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-c2rx-5r8w-8xr2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44892"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netty/netty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size"
}

GHSA-C2V2-7RCG-2CH7

Vulnerability from github – Published: 2020-09-01 15:17 – Updated: 2021-01-14 15:58
VLAI
Summary
Regular Expression Denial of Service in ansi2html
Details

The ansi2html package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in.

Proof of concept

var ansi2html = require('ansi2html')

var start = process.hrtime();
ansi2html("[1111111111111111111111;0000000000000000000000");
console.log(process.hrtime(start));

start = process.hrtime();
ansi2html("[1111111111111111111111;00000000000000000000000");
console.log(process.hrtime(start));

start = process.hrtime();
ansi2html("[1111111111111111111111;000000000000000000000000");
console.log(process.hrtime(start));

start = process.hrtime();
ansi2html("[1111111111111111111111;0000000000000000000000000000");
console.log(process.hrtime(start));

Results of the above

00:29:53-adam_baldwin~/tmp$ node test
[ 0, 119615367 ]
[ 0, 149934565 ]
[ 0, 233325677 ]
[ 3, 46582479 ]

Recommendation

At the time of this writing, February 2018, all versions of ansi2html remain vulnerable, and the package has not been updated for 4 years.

In order to use this package safely, it is necessary to avoid passing user input to the package, or to limit the size of the input string to a size with a parse time you find acceptable. Unfortunately, the match time grows at quite a small character count, so it is unlikely for it to both allow strings of a useful size while protecting against the denial of service attack.

In the case that user input of significant length must be parsed by ansi2html, the best mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.]available on npm

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ansi2html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-9239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:09:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The `ansi2html` package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in.\n\n\n## Proof of concept\n```\nvar ansi2html = require(\u0027ansi2html\u0027)\n\nvar start = process.hrtime();\nansi2html(\"[1111111111111111111111;0000000000000000000000\");\nconsole.log(process.hrtime(start));\n\nstart = process.hrtime();\nansi2html(\"[1111111111111111111111;00000000000000000000000\");\nconsole.log(process.hrtime(start));\n\nstart = process.hrtime();\nansi2html(\"[1111111111111111111111;000000000000000000000000\");\nconsole.log(process.hrtime(start));\n\nstart = process.hrtime();\nansi2html(\"[1111111111111111111111;0000000000000000000000000000\");\nconsole.log(process.hrtime(start));\n```\n\nResults of the above\n```\n00:29:53-adam_baldwin~/tmp$ node test\n[ 0, 119615367 ]\n[ 0, 149934565 ]\n[ 0, 233325677 ]\n[ 3, 46582479 ]\n```\n\n\n## Recommendation\n\nAt the time of this writing, February 2018, all versions of `ansi2html` remain vulnerable, and the package has not been updated for 4 years. \n\nIn order to use this package safely, it is necessary to avoid passing user input to the package, or to limit the size of the input string to a size with a parse time you find acceptable. Unfortunately, the match time grows at quite a small character count, so it is unlikely for it to both allow strings of a useful size while protecting against the denial of service attack. \n\nIn the case that user input of significant length must be parsed by ansi2html, the best mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.][available on npm](https://www.npmjs.com/search?q=ansi+html)",
  "id": "GHSA-c2v2-7rcg-2ch7",
  "modified": "2021-01-14T15:58:08Z",
  "published": "2020-09-01T15:17:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9239"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/51"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in ansi2html"
}

GHSA-C2WF-8J59-JJHC

Vulnerability from github – Published: 2024-04-25 12:30 – Updated: 2024-04-25 12:30
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-25T11:15:46Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.",
  "id": "GHSA-c2wf-8j59-jjhc",
  "modified": "2024-04-25T12:30:50Z",
  "published": "2024-04-25T12:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2829"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2416728"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/451456"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C329-XM38-F566

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15119"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-27T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS.",
  "id": "GHSA-c329-xm38-f566",
  "modified": "2022-05-13T01:37:33Z",
  "published": "2022-05-13T01:37:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15119"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1104"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1113"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15119"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3575-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4213"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/11/28/9"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C332-W4JM-55WV

Vulnerability from github – Published: 2021-05-04 17:42 – Updated: 2021-04-30 17:43
VLAI
Summary
Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8
Details

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-compatibility-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-30T17:43:47Z",
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Unsafe validation RegEx in `EmailValidator` component in `com.vaadin:vaadin-compatibility-server` versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.",
  "id": "GHSA-c332-w4jm-55wv",
  "modified": "2021-04-30T17:43:47Z",
  "published": "2021-05-04T17:42:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/framework/security/advisories/GHSA-c332-w4jm-55wv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/framework/issues/12240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/framework/pull/12241"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2021-31409"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8"
}

GHSA-C335-GRGP-6VGC

Vulnerability from github – Published: 2022-05-01 07:30 – Updated: 2025-04-03 18:30
VLAI
Details

Ubuntu Linux 6.10 for the PowerPC (PPC) allows local users to cause a denial of service (resource consumption) by using the (1) sys_get_robust_list and (2) sys_set_robust_list functions to create processes that cannot be killed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-5648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-12-14T00:28:00Z",
    "severity": "MODERATE"
  },
  "details": "Ubuntu Linux 6.10 for the PowerPC (PPC) allows local users to cause a denial of service (resource consumption) by using the (1) sys_get_robust_list and (2) sys_set_robust_list functions to create processes that cannot be killed.",
  "id": "GHSA-c335-grgp-6vgc",
  "modified": "2025-04-03T18:30:27Z",
  "published": "2022-05-01T07:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-5648"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23361"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23384"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23474"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2006_79_kernel.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/21582"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-395-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C337-2CRJ-5WCM

Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-17 00:01
VLAI
Details

On all versions of 17.0.x, 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x on F5 BIG-IP, an authenticated iControl REST user with at least guest role privileges can cause processing delays to iControl REST requests via undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1468"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-05T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On all versions of 17.0.x, 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x on F5 BIG-IP, an authenticated iControl REST user with at least guest role privileges can cause processing delays to iControl REST requests via undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
  "id": "GHSA-c337-2crj-5wcm",
  "modified": "2022-05-17T00:01:48Z",
  "published": "2022-05-06T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1468"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K15101402"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C33X-XQRF-C478

Vulnerability from github – Published: 2024-04-02 14:16 – Updated: 2024-04-05 18:53
VLAI
Summary
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack
Details

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/. I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/quic-go/quic-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.42.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-02T14:16:05Z",
    "nvd_published_at": "2024-04-04T15:15:37Z",
    "severity": "HIGH"
  },
  "details": "An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate.\n\nI published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/.\nI also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U\u0026t=3683\n\nThere\u0027s no way to mitigate this attack, please update quic-go to a version that contains the fix.",
  "id": "GHSA-c33x-xqrf-c478",
  "modified": "2024-04-05T18:53:25Z",
  "published": "2024-04-02T14:16:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quic-go/quic-go"
    },
    {
      "type": "WEB",
      "url": "https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=JqXtYcZAtIA\u0026t=3683s"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "QUIC\u0027s Connection ID Mechanism vulnerable to Memory Exhaustion Attack"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.