CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5424 vulnerabilities reference this CWE, most recent first.
GHSA-C6GW-W398-HV78
Vulnerability from github – Published: 2025-02-24 22:49 – Updated: 2025-02-26 22:16Impact
When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.
Patches
Version 4.0.5 fixes this issue
Workarounds
Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.
References
This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/go-jose/go-jose"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27144"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-24T22:49:19Z",
"nvd_published_at": "2025-02-24T23:15:11Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of \u0027.\u0027 characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.\n\n### Patches\nVersion 4.0.5 fixes this issue\n\n### Workarounds\nApplications could pre-validate payloads passed to go-jose do not contain an excessive number of \u0027.\u0027 characters.\n\n### References\nThis is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.",
"id": "GHSA-c6gw-w398-hv78",
"modified": "2025-02-26T22:16:36Z",
"published": "2025-02-24T22:49:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27144"
},
{
"type": "WEB",
"url": "https://github.com/golang/go/issues/71490"
},
{
"type": "WEB",
"url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-jose/go-jose"
},
{
"type": "WEB",
"url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"
},
{
"type": "WEB",
"url": "https://go.dev/issue/71490"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DoS in go-jose Parsing"
}
GHSA-C6HX-PJC3-7FQR
Vulnerability from github – Published: 2022-10-10 21:23 – Updated: 2022-10-13 20:08Impact
There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.
Patches
Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8 Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5
Workarounds
No workaround.
For more information
If you have any questions or comments about this advisory, please open an issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0-rc1"
},
{
"fixed": "2.9.0-rc5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39271"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-10T21:23:30Z",
"nvd_published_at": "2022-10-11T14:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThere is a potential vulnerability in Traefik managing HTTP/2 connections.\nA closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.\n\n### Patches\n\nTraefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8\nTraefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n",
"id": "GHSA-c6hx-pjc3-7fqr",
"modified": "2022-10-13T20:08:57Z",
"published": "2022-10-10T21:23:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39271"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.8.8"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Traefik HTTP/2 connections management could cause a denial of service"
}
GHSA-C6M3-26JJ-88R9
Vulnerability from github – Published: 2022-01-20 00:02 – Updated: 2023-08-08 15:31A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device. During an attack, the routing protocol daemon (rpd) CPU may reach 100% utilization, yet FPC CPUs forwarding traffic will operate normally. This attack occurs when the attackers' packets are sent over an IPv4 unicast routing equal-cost multi-path (ECMP) unilist selection. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. An indicator of compromise may be to monitor NETISR drops in the network with the assistance of JTAC. Please contact JTAC for technical support for further guidance. This issue affects: Juniper Networks Junos OS 17.3 version 17.3R3-S9 and later versions prior to 17.3R3-S12; 17.4 version 17.4R3-S3 and later versions prior to 17.4R3-S5; 18.1 version 18.1R3-S11 and later versions prior to 18.1R3-S13; 18.2 version 18.2R3-S6 and later versions; 18.3 version 18.3R3-S4 and later versions prior to 18.3R3-S5; 18.4 version 18.4R3-S5 and later versions prior to 18.4R3-S9; 19.1 version 19.1R3-S3 and later versions prior to 19.1R3-S7. This issue does not affect Juniper Networks Junos OS versions prior to 17.3R3-S9. This issue does not affect Juniper Networks Junos OS Evolved.
{
"affected": [],
"aliases": [
"CVE-2022-22159"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-19T01:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device. During an attack, the routing protocol daemon (rpd) CPU may reach 100% utilization, yet FPC CPUs forwarding traffic will operate normally. This attack occurs when the attackers\u0027 packets are sent over an IPv4 unicast routing equal-cost multi-path (ECMP) unilist selection. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. An indicator of compromise may be to monitor NETISR drops in the network with the assistance of JTAC. Please contact JTAC for technical support for further guidance. This issue affects: Juniper Networks Junos OS 17.3 version 17.3R3-S9 and later versions prior to 17.3R3-S12; 17.4 version 17.4R3-S3 and later versions prior to 17.4R3-S5; 18.1 version 18.1R3-S11 and later versions prior to 18.1R3-S13; 18.2 version 18.2R3-S6 and later versions; 18.3 version 18.3R3-S4 and later versions prior to 18.3R3-S5; 18.4 version 18.4R3-S5 and later versions prior to 18.4R3-S9; 19.1 version 19.1R3-S3 and later versions prior to 19.1R3-S7. This issue does not affect Juniper Networks Junos OS versions prior to 17.3R3-S9. This issue does not affect Juniper Networks Junos OS Evolved.",
"id": "GHSA-c6m3-26jj-88r9",
"modified": "2023-08-08T15:31:37Z",
"published": "2022-01-20T00:02:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22159"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11267"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C6Q9-X9FP-XMC6
Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2022-03-17 00:06There is an Uncontrolled resource consumption vulnerability in the display module in smartphones. Successful exploitation of this vulnerability may affect service integrity.
{
"affected": [],
"aliases": [
"CVE-2021-40011"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-10T14:10:00Z",
"severity": "CRITICAL"
},
"details": "There is an Uncontrolled resource consumption vulnerability in the display module in smartphones. Successful exploitation of this vulnerability may affect service integrity.",
"id": "GHSA-c6q9-x9fp-xmc6",
"modified": "2022-03-17T00:06:16Z",
"published": "2022-01-11T00:01:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40011"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/1"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/3"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202203-0000001257385193"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C6QR-H5VQ-59JC
Vulnerability from github – Published: 2020-06-24 17:40 – Updated: 2023-07-05 20:24There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
This vulnerability has been assigned the CVE identifier CVE-2020-8185.
Versions Affected: 6.0.0 < rails < 6.0.3.2
Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production)
Fixed Versions: rails >= 6.0.3.2
Impact
Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.
Workarounds
Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:
config.middleware.delete ActionDispatch::ActionableExceptions
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.3.1"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8185"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-24T17:33:58Z",
"nvd_published_at": "2020-07-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.\n\nThis vulnerability has been assigned the CVE identifier CVE-2020-8185.\n\nVersions Affected: 6.0.0 \u003c rails \u003c 6.0.3.2\nNot affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production)\nFixed Versions: rails \u003e= 6.0.3.2\n\nImpact\n------\n\nUsing this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.\n\nWorkarounds\n-----------\n\nUntil such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:\n\n`config.middleware.delete ActionDispatch::ActionableExceptions`",
"id": "GHSA-c6qr-h5vq-59jc",
"modified": "2023-07-05T20:24:19Z",
"published": "2020-06-24T17:40:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8185"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/899069"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Untrusted users can run pending migrations in production in Rails"
}
GHSA-C729-M2G9-M3XV
Vulnerability from github – Published: 2023-02-14 00:30 – Updated: 2023-02-27 18:32An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2022-3759"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-13T23:15:00Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service.",
"id": "GHSA-c729-m2g9-m3xv",
"modified": "2023-02-27T18:32:02Z",
"published": "2023-02-14T00:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3759"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1736230"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3759.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/379633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C72Q-9J4P-2MP4
Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2025-11-04 00:31Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
{
"affected": [],
"aliases": [
"CVE-2024-21219"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-15T20:15:11Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).",
"id": "GHSA-c72q-9j4p-2mp4",
"modified": "2025-11-04T00:31:34Z",
"published": "2024-10-15T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21219"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241025-0006"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C738-77X8-WMQ5
Vulnerability from github – Published: 2021-06-08 22:29 – Updated: 2022-02-08 21:27A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.8.1.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.xnio:xnio-nio"
},
"ranges": [
{
"events": [
{
"introduced": "3.8.0.Final"
},
{
"fixed": "3.8.2.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.7.8.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.xnio:xnio-nio"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.7.9.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14340"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-03T20:32:00Z",
"nvd_published_at": "2021-06-02T13:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.",
"id": "GHSA-c738-77x8-wmq5",
"modified": "2022-02-08T21:27:27Z",
"published": "2021-06-08T22:29:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14340"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860218"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in XNIO"
}
GHSA-C73C-X77G-854R
Vulnerability from github – Published: 2026-05-12 15:34 – Updated: 2026-06-09 10:59OAuth State Validation Bypass via error Parameter Causes Local Server DoS in MCP Auth Callback
Description
The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all.
The vulnerable code looks like this:
if (!error && state !== oauthState) {
rejectOnce(new Error('OAuth state mismatch - possible CSRF attack'))
return
}
if (error) {
cleanup()
rejectOnce(new Error(errorMessage))
return
}
When a request arrives with an error query parameter (e.g., ?error=anything), the first condition becomes false because !error evaluates to false. This means the CSRF check is never reached. Execution falls through to the second block, where cleanup() is called — shutting down the local server and terminating the user's active authentication session.
The attacker does not need to know the state value. Any request containing an error parameter is enough to trigger the shutdown.
Impact
- The user's OAuth flow is silently terminated mid-session
- The local callback server is shut down (Denial of Service)
- Can be triggered remotely via a malicious web page using a cross-origin request (CSRF)
- No authentication or prior knowledge of the
statevalue is required
Steps to Reproduce
Save the following as poc.js and run with Node.js:
import { createServer } from 'http';
import { parse } from 'url';
const expectedState = "secure_state_abc123";
const server = createServer((req, res) => {
const parsedUrl = parse(req.url || '', true);
const { pathname, query } = parsedUrl;
const { state, error } = query;
if (pathname === '/callback') {
// Vulnerable: error param causes state check to be skipped entirely
if (!error && state !== expectedState) {
res.writeHead(400);
res.end('State mismatch');
console.log('[-] CSRF attempt blocked.');
return;
}
if (error) {
res.writeHead(200);
res.end(`Error: ${error}`);
console.log(`[!] Server shutting down. Triggered by: ${error}`);
server.close();
return;
}
}
});
server.listen(12345, '127.0.0.1', () => {
console.log('Listening on http://127.0.0.1:12345');
});
Terminal 1 — start the server:
node poc.js
Terminal 2 — trigger the bypass:
curl "http://127.0.0.1:12345/callback?error=triggered"
Expected result: Server shuts down immediately. The state value was never checked.
Root Cause
The CSRF protection is conditioned on !error, meaning it is silently disabled whenever an error parameter is present. The two checks need to be decoupled — state validation must happen first, independently of any other parameters.
Fix
Move the state check before the error check, and remove the dependency on !error:
// Fixed
if (state !== oauthState) {
cleanup()
rejectOnce(new Error('OAuth state mismatch - possible CSRF attack'))
return
}
if (error) {
cleanup()
rejectOnce(new Error(errorMessage))
return
}
With this change, any request — whether it contains an error parameter or not — must first pass the state validation before any further processing occurs.
Credit: Xanlar Agamalizade
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@gitlawb/openclaude"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42073"
],
"database_specific": {
"cwe_ids": [
"CWE-352",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-12T15:34:30Z",
"nvd_published_at": "2026-06-02T17:16:31Z",
"severity": "MODERATE"
},
"details": "# OAuth State Validation Bypass via `error` Parameter Causes Local Server DoS in MCP Auth Callback\n---\n\n## Description\n\nThe OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a `state` parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down \u2014 without knowing the `state` value at all.\n\nThe vulnerable code looks like this:\n\n```typescript\nif (!error \u0026\u0026 state !== oauthState) {\n rejectOnce(new Error(\u0027OAuth state mismatch - possible CSRF attack\u0027))\n return\n}\n\nif (error) {\n cleanup()\n rejectOnce(new Error(errorMessage))\n return\n}\n```\n\nWhen a request arrives with an `error` query parameter (e.g., `?error=anything`), the first condition becomes `false` because `!error` evaluates to `false`. This means the CSRF check is **never reached**. Execution falls through to the second block, where `cleanup()` is called \u2014 shutting down the local server and terminating the user\u0027s active authentication session.\n\nThe attacker does not need to know the `state` value. Any request containing an `error` parameter is enough to trigger the shutdown.\n\n---\n\n## Impact\n\n- The user\u0027s OAuth flow is silently terminated mid-session\n- The local callback server is shut down (Denial of Service)\n- Can be triggered remotely via a malicious web page using a cross-origin request (CSRF)\n- No authentication or prior knowledge of the `state` value is required\n\n---\n\n## Steps to Reproduce\n\nSave the following as `poc.js` and run with Node.js:\n\n```javascript\nimport { createServer } from \u0027http\u0027;\nimport { parse } from \u0027url\u0027;\n\nconst expectedState = \"secure_state_abc123\";\n\nconst server = createServer((req, res) =\u003e {\n const parsedUrl = parse(req.url || \u0027\u0027, true);\n const { pathname, query } = parsedUrl;\n const { state, error } = query;\n\n if (pathname === \u0027/callback\u0027) {\n\n // Vulnerable: error param causes state check to be skipped entirely\n if (!error \u0026\u0026 state !== expectedState) {\n res.writeHead(400);\n res.end(\u0027State mismatch\u0027);\n console.log(\u0027[-] CSRF attempt blocked.\u0027);\n return;\n }\n\n if (error) {\n res.writeHead(200);\n res.end(`Error: ${error}`);\n console.log(`[!] Server shutting down. Triggered by: ${error}`);\n server.close();\n return;\n }\n }\n});\n\nserver.listen(12345, \u0027127.0.0.1\u0027, () =\u003e {\n console.log(\u0027Listening on http://127.0.0.1:12345\u0027);\n});\n```\n\n**Terminal 1 \u2014 start the server:**\n```bash\nnode poc.js\n```\n\n**Terminal 2 \u2014 trigger the bypass:**\n```bash\ncurl \"http://127.0.0.1:12345/callback?error=triggered\"\n```\n\n**Expected result:** Server shuts down immediately. The `state` value was never checked.\n\n---\n\n## Root Cause\n\nThe CSRF protection is conditioned on `!error`, meaning it is silently disabled whenever an `error` parameter is present. The two checks need to be decoupled \u2014 state validation must happen first, independently of any other parameters.\n\n---\n\n## Fix\n\nMove the `state` check before the `error` check, and remove the dependency on `!error`:\n\n```typescript\n// Fixed\nif (state !== oauthState) {\n cleanup()\n rejectOnce(new Error(\u0027OAuth state mismatch - possible CSRF attack\u0027))\n return\n}\n\nif (error) {\n cleanup()\n rejectOnce(new Error(errorMessage))\n return\n}\n```\n\nWith this change, any request \u2014 whether it contains an `error` parameter or not \u2014 must first pass the state validation before any further processing occurs.\n\n---\n\nCredit: Xanlar Agamalizade",
"id": "GHSA-c73c-x77g-854r",
"modified": "2026-06-09T10:59:32Z",
"published": "2026-05-12T15:34:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42073"
},
{
"type": "WEB",
"url": "https://github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd5124ad"
},
{
"type": "PACKAGE",
"url": "https://github.com/Gitlawb/openclaude"
},
{
"type": "WEB",
"url": "https://github.com/Gitlawb/openclaude/releases/tag/v0.5.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS"
}
GHSA-C774-R78G-7QJ4
Vulnerability from github – Published: 2022-05-14 00:55 – Updated: 2022-05-14 00:55In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.
{
"affected": [],
"aliases": [
"CVE-2018-19837"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-04T09:29:00Z",
"severity": "MODERATE"
},
"details": "In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of \u0027%\u0027 as a modulo operator in parser.cpp.",
"id": "GHSA-c774-r78g-7qj4",
"modified": "2022-05-14T00:55:58Z",
"published": "2022-05-14T00:55:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19837"
},
{
"type": "WEB",
"url": "https://github.com/sass/libsass/issues/2659"
},
{
"type": "WEB",
"url": "https://github.com/sass/libsass/commit/210fdff7a65370c2ae24e022a2b35da8c423cc5f"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00047.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00051.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.