Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5424 vulnerabilities reference this CWE, most recent first.

GHSA-C6GW-W398-HV78

Vulnerability from github – Published: 2025-02-24 22:49 – Updated: 2025-02-26 22:16
VLAI
Summary
DoS in go-jose Parsing
Details

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-jose/go-jose/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-jose/go-jose/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/go-jose/go-jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-24T22:49:19Z",
    "nvd_published_at": "2025-02-24T23:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, \".\") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of \u0027.\u0027 characters.  An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.\n\n### Patches\nVersion 4.0.5 fixes this issue\n\n### Workarounds\nApplications could pre-validate payloads passed to go-jose do not contain an excessive number of \u0027.\u0027 characters.\n\n### References\nThis is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.",
  "id": "GHSA-c6gw-w398-hv78",
  "modified": "2025-02-26T22:16:36Z",
  "published": "2025-02-24T22:49:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27144"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/go/issues/71490"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-jose/go-jose"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-jose/go-jose/releases/tag/v4.0.5"
    },
    {
      "type": "WEB",
      "url": "https://go.dev/issue/71490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "DoS in go-jose Parsing"
}

GHSA-C6HX-PJC3-7FQR

Vulnerability from github – Published: 2022-10-10 21:23 – Updated: 2022-10-13 20:08
VLAI
Summary
Traefik HTTP/2 connections management could cause a denial of service
Details

Impact

There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Patches

Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8 Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0-rc1"
            },
            {
              "fixed": "2.9.0-rc5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-10T21:23:30Z",
    "nvd_published_at": "2022-10-11T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThere is a potential vulnerability in Traefik managing HTTP/2 connections.\nA closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service.\n\n### Patches\n\nTraefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8\nTraefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n",
  "id": "GHSA-c6hx-pjc3-7fqr",
  "modified": "2022-10-13T20:08:57Z",
  "published": "2022-10-10T21:23:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-c6hx-pjc3-7fqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39271"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.8.8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Traefik HTTP/2 connections management could cause a denial of service"
}

GHSA-C6M3-26JJ-88R9

Vulnerability from github – Published: 2022-01-20 00:02 – Updated: 2023-08-08 15:31
VLAI
Details

A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device. During an attack, the routing protocol daemon (rpd) CPU may reach 100% utilization, yet FPC CPUs forwarding traffic will operate normally. This attack occurs when the attackers' packets are sent over an IPv4 unicast routing equal-cost multi-path (ECMP) unilist selection. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. An indicator of compromise may be to monitor NETISR drops in the network with the assistance of JTAC. Please contact JTAC for technical support for further guidance. This issue affects: Juniper Networks Junos OS 17.3 version 17.3R3-S9 and later versions prior to 17.3R3-S12; 17.4 version 17.4R3-S3 and later versions prior to 17.4R3-S5; 18.1 version 18.1R3-S11 and later versions prior to 18.1R3-S13; 18.2 version 18.2R3-S6 and later versions; 18.3 version 18.3R3-S4 and later versions prior to 18.3R3-S5; 18.4 version 18.4R3-S5 and later versions prior to 18.4R3-S9; 19.1 version 19.1R3-S3 and later versions prior to 19.1R3-S7. This issue does not affect Juniper Networks Junos OS versions prior to 17.3R3-S9. This issue does not affect Juniper Networks Junos OS Evolved.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-19T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device. During an attack, the routing protocol daemon (rpd) CPU may reach 100% utilization, yet FPC CPUs forwarding traffic will operate normally. This attack occurs when the attackers\u0027 packets are sent over an IPv4 unicast routing equal-cost multi-path (ECMP) unilist selection. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. An indicator of compromise may be to monitor NETISR drops in the network with the assistance of JTAC. Please contact JTAC for technical support for further guidance. This issue affects: Juniper Networks Junos OS 17.3 version 17.3R3-S9 and later versions prior to 17.3R3-S12; 17.4 version 17.4R3-S3 and later versions prior to 17.4R3-S5; 18.1 version 18.1R3-S11 and later versions prior to 18.1R3-S13; 18.2 version 18.2R3-S6 and later versions; 18.3 version 18.3R3-S4 and later versions prior to 18.3R3-S5; 18.4 version 18.4R3-S5 and later versions prior to 18.4R3-S9; 19.1 version 19.1R3-S3 and later versions prior to 19.1R3-S7. This issue does not affect Juniper Networks Junos OS versions prior to 17.3R3-S9. This issue does not affect Juniper Networks Junos OS Evolved.",
  "id": "GHSA-c6m3-26jj-88r9",
  "modified": "2023-08-08T15:31:37Z",
  "published": "2022-01-20T00:02:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22159"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C6Q9-X9FP-XMC6

Vulnerability from github – Published: 2022-01-11 00:01 – Updated: 2022-03-17 00:06
VLAI
Details

There is an Uncontrolled resource consumption vulnerability in the display module in smartphones. Successful exploitation of this vulnerability may affect service integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-10T14:10:00Z",
    "severity": "CRITICAL"
  },
  "details": "There is an Uncontrolled resource consumption vulnerability in the display module in smartphones. Successful exploitation of this vulnerability may affect service integrity.",
  "id": "GHSA-c6q9-x9fp-xmc6",
  "modified": "2022-03-17T00:06:16Z",
  "published": "2022-01-11T00:01:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40011"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/1"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/3"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-phones-202203-0000001257385193"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C6QR-H5VQ-59JC

Vulnerability from github – Published: 2020-06-24 17:40 – Updated: 2023-07-05 20:24
VLAI
Summary
Untrusted users can run pending migrations in production in Rails
Details

There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2

Impact

Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.

Workarounds

Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.3.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-24T17:33:58Z",
    "nvd_published_at": "2020-07-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.\n\nThis vulnerability has been assigned the CVE identifier CVE-2020-8185.\n\nVersions Affected:  6.0.0 \u003c rails \u003c 6.0.3.2\nNot affected:       Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production)\nFixed Versions:     rails \u003e= 6.0.3.2\n\nImpact\n------\n\nUsing this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.\n\nWorkarounds\n-----------\n\nUntil such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:\n\n`config.middleware.delete ActionDispatch::ActionableExceptions`",
  "id": "GHSA-c6qr-h5vq-59jc",
  "modified": "2023-07-05T20:24:19Z",
  "published": "2020-06-24T17:40:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8185"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/899069"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8185.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Untrusted users can run pending migrations in production in Rails"
}

GHSA-C729-M2G9-M3XV

Vulnerability from github – Published: 2023-02-14 00:30 – Updated: 2023-02-27 18:32
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3759"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-13T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service.",
  "id": "GHSA-c729-m2g9-m3xv",
  "modified": "2023-02-27T18:32:02Z",
  "published": "2023-02-14T00:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3759"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1736230"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3759.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/379633"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C72Q-9J4P-2MP4

Vulnerability from github – Published: 2024-10-15 21:30 – Updated: 2025-11-04 00:31
VLAI
Details

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21219"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-15T20:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).  Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and  9.0.1 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).",
  "id": "GHSA-c72q-9j4p-2mp4",
  "modified": "2025-11-04T00:31:34Z",
  "published": "2024-10-15T21:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21219"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241025-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2024.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C738-77X8-WMQ5

Vulnerability from github – Published: 2021-06-08 22:29 – Updated: 2022-02-08 21:27
VLAI
Summary
Uncontrolled Resource Consumption in XNIO
Details

A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.8.1.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jboss.xnio:xnio-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0.Final"
            },
            {
              "fixed": "3.8.2.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.7.8.Final"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jboss.xnio:xnio-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.6.0"
            },
            {
              "fixed": "3.7.9.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-03T20:32:00Z",
    "nvd_published_at": "2021-06-02T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.",
  "id": "GHSA-c738-77x8-wmq5",
  "modified": "2022-02-08T21:27:27Z",
  "published": "2021-06-08T22:29:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14340"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860218"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in XNIO"
}

GHSA-C73C-X77G-854R

Vulnerability from github – Published: 2026-05-12 15:34 – Updated: 2026-06-09 10:59
VLAI
Summary
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS
Details

OAuth State Validation Bypass via error Parameter Causes Local Server DoS in MCP Auth Callback


Description

The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all.

The vulnerable code looks like this:

if (!error && state !== oauthState) {
    rejectOnce(new Error('OAuth state mismatch - possible CSRF attack'))
    return
}

if (error) {
    cleanup()
    rejectOnce(new Error(errorMessage))
    return
}

When a request arrives with an error query parameter (e.g., ?error=anything), the first condition becomes false because !error evaluates to false. This means the CSRF check is never reached. Execution falls through to the second block, where cleanup() is called — shutting down the local server and terminating the user's active authentication session.

The attacker does not need to know the state value. Any request containing an error parameter is enough to trigger the shutdown.


Impact

  • The user's OAuth flow is silently terminated mid-session
  • The local callback server is shut down (Denial of Service)
  • Can be triggered remotely via a malicious web page using a cross-origin request (CSRF)
  • No authentication or prior knowledge of the state value is required

Steps to Reproduce

Save the following as poc.js and run with Node.js:

import { createServer } from 'http';
import { parse } from 'url';

const expectedState = "secure_state_abc123";

const server = createServer((req, res) => {
    const parsedUrl = parse(req.url || '', true);
    const { pathname, query } = parsedUrl;
    const { state, error } = query;

    if (pathname === '/callback') {

        // Vulnerable: error param causes state check to be skipped entirely
        if (!error && state !== expectedState) {
            res.writeHead(400);
            res.end('State mismatch');
            console.log('[-] CSRF attempt blocked.');
            return;
        }

        if (error) {
            res.writeHead(200);
            res.end(`Error: ${error}`);
            console.log(`[!] Server shutting down. Triggered by: ${error}`);
            server.close();
            return;
        }
    }
});

server.listen(12345, '127.0.0.1', () => {
    console.log('Listening on http://127.0.0.1:12345');
});

Terminal 1 — start the server:

node poc.js

Terminal 2 — trigger the bypass:

curl "http://127.0.0.1:12345/callback?error=triggered"

Expected result: Server shuts down immediately. The state value was never checked.


Root Cause

The CSRF protection is conditioned on !error, meaning it is silently disabled whenever an error parameter is present. The two checks need to be decoupled — state validation must happen first, independently of any other parameters.


Fix

Move the state check before the error check, and remove the dependency on !error:

// Fixed
if (state !== oauthState) {
    cleanup()
    rejectOnce(new Error('OAuth state mismatch - possible CSRF attack'))
    return
}

if (error) {
    cleanup()
    rejectOnce(new Error(errorMessage))
    return
}

With this change, any request — whether it contains an error parameter or not — must first pass the state validation before any further processing occurs.


Credit: Xanlar Agamalizade

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@gitlawb/openclaude"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:34:30Z",
    "nvd_published_at": "2026-06-02T17:16:31Z",
    "severity": "MODERATE"
  },
  "details": "# OAuth State Validation Bypass via `error` Parameter Causes Local Server DoS in MCP Auth Callback\n---\n\n## Description\n\nThe OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a `state` parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down \u2014 without knowing the `state` value at all.\n\nThe vulnerable code looks like this:\n\n```typescript\nif (!error \u0026\u0026 state !== oauthState) {\n    rejectOnce(new Error(\u0027OAuth state mismatch - possible CSRF attack\u0027))\n    return\n}\n\nif (error) {\n    cleanup()\n    rejectOnce(new Error(errorMessage))\n    return\n}\n```\n\nWhen a request arrives with an `error` query parameter (e.g., `?error=anything`), the first condition becomes `false` because `!error` evaluates to `false`. This means the CSRF check is **never reached**. Execution falls through to the second block, where `cleanup()` is called \u2014 shutting down the local server and terminating the user\u0027s active authentication session.\n\nThe attacker does not need to know the `state` value. Any request containing an `error` parameter is enough to trigger the shutdown.\n\n---\n\n## Impact\n\n- The user\u0027s OAuth flow is silently terminated mid-session\n- The local callback server is shut down (Denial of Service)\n- Can be triggered remotely via a malicious web page using a cross-origin request (CSRF)\n- No authentication or prior knowledge of the `state` value is required\n\n---\n\n## Steps to Reproduce\n\nSave the following as `poc.js` and run with Node.js:\n\n```javascript\nimport { createServer } from \u0027http\u0027;\nimport { parse } from \u0027url\u0027;\n\nconst expectedState = \"secure_state_abc123\";\n\nconst server = createServer((req, res) =\u003e {\n    const parsedUrl = parse(req.url || \u0027\u0027, true);\n    const { pathname, query } = parsedUrl;\n    const { state, error } = query;\n\n    if (pathname === \u0027/callback\u0027) {\n\n        // Vulnerable: error param causes state check to be skipped entirely\n        if (!error \u0026\u0026 state !== expectedState) {\n            res.writeHead(400);\n            res.end(\u0027State mismatch\u0027);\n            console.log(\u0027[-] CSRF attempt blocked.\u0027);\n            return;\n        }\n\n        if (error) {\n            res.writeHead(200);\n            res.end(`Error: ${error}`);\n            console.log(`[!] Server shutting down. Triggered by: ${error}`);\n            server.close();\n            return;\n        }\n    }\n});\n\nserver.listen(12345, \u0027127.0.0.1\u0027, () =\u003e {\n    console.log(\u0027Listening on http://127.0.0.1:12345\u0027);\n});\n```\n\n**Terminal 1 \u2014 start the server:**\n```bash\nnode poc.js\n```\n\n**Terminal 2 \u2014 trigger the bypass:**\n```bash\ncurl \"http://127.0.0.1:12345/callback?error=triggered\"\n```\n\n**Expected result:** Server shuts down immediately. The `state` value was never checked.\n\n---\n\n## Root Cause\n\nThe CSRF protection is conditioned on `!error`, meaning it is silently disabled whenever an `error` parameter is present. The two checks need to be decoupled \u2014 state validation must happen first, independently of any other parameters.\n\n---\n\n## Fix\n\nMove the `state` check before the `error` check, and remove the dependency on `!error`:\n\n```typescript\n// Fixed\nif (state !== oauthState) {\n    cleanup()\n    rejectOnce(new Error(\u0027OAuth state mismatch - possible CSRF attack\u0027))\n    return\n}\n\nif (error) {\n    cleanup()\n    rejectOnce(new Error(errorMessage))\n    return\n}\n```\n\nWith this change, any request \u2014 whether it contains an `error` parameter or not \u2014 must first pass the state validation before any further processing occurs.\n\n---\n\nCredit: Xanlar Agamalizade",
  "id": "GHSA-c73c-x77g-854r",
  "modified": "2026-06-09T10:59:32Z",
  "published": "2026-05-12T15:34:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd5124ad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Gitlawb/openclaude"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Gitlawb/openclaude/releases/tag/v0.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS"
}

GHSA-C774-R78G-7QJ4

Vulnerability from github – Published: 2022-05-14 00:55 – Updated: 2022-05-14 00:55
VLAI
Details

In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-04T09:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of \u0027%\u0027 as a modulo operator in parser.cpp.",
  "id": "GHSA-c774-r78g-7qj4",
  "modified": "2022-05-14T00:55:58Z",
  "published": "2022-05-14T00:55:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/issues/2659"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/commit/210fdff7a65370c2ae24e022a2b35da8c423cc5f"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00047.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00051.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00027.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.