CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-CGGR-H689-7V7X
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:12Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
{
"affected": [],
"aliases": [
"CVE-2019-15226"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T16:15:00Z",
"severity": "HIGH"
},
"details": "Upon receiving each incoming request header data, Envoy will iterate over existing request headers to verify that the total size of the headers stays below a maximum limit. The implementation in versions 1.10.0 through 1.11.1 for HTTP/1.x traffic and all versions of Envoy for HTTP/2 traffic had O(n^2) performance characteristics. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.",
"id": "GHSA-cggr-h689-7v7x",
"modified": "2024-04-04T02:12:32Z",
"published": "2022-05-24T16:58:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15226"
},
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/issues/8520"
},
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/commit/afc39bea36fd436e54262f150c009e8d72db5014"
},
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/commits/master"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGHX-JXVF-5P77
Vulnerability from github – Published: 2026-07-14 21:32 – Updated: 2026-07-14 21:32NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-47476"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T20:17:02Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-cghx-jxvf-5p77",
"modified": "2026-07-14T21:32:16Z",
"published": "2026-07-14T21:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47476"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-47476"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGQ3-QV94-6P9P
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-12-06 18:30A resource exhaustion issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1. An attacker in a privileged network position may be able to perform denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-10005"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-28T19:15:00Z",
"severity": "MODERATE"
},
"details": "A resource exhaustion issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1. An attacker in a privileged network position may be able to perform denial of service.",
"id": "GHSA-cgq3-qv94-6p9p",
"modified": "2022-12-06T18:30:21Z",
"published": "2022-05-24T19:19:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10005"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT211931"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1246"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CGQC-FQXR-Q6R6
Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
{
"affected": [],
"aliases": [
"CVE-2011-4838"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-12-30T01:55:00Z",
"severity": "MODERATE"
},
"details": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.",
"id": "GHSA-cgqc-fqxr-q6r6",
"modified": "2022-05-13T01:12:13Z",
"published": "2022-05-13T01:12:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4838"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"type": "WEB",
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47407"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50084"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"type": "WEB",
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"type": "WEB",
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CGWF-W82Q-5JRR
Vulnerability from github – Published: 2023-09-14 09:30 – Updated: 2025-02-13 19:13Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.
Users are recommended to upgrade to version 1.24.0, which fixes the issue.
A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.
In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 1). The format for the PAX extended headers carrying this data consists of two numbers separated by a period 2, indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.
Parsing of these numbers uses the BigDecimal 3 class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 4). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 5.
Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-compress"
},
"ranges": [
{
"events": [
{
"introduced": "1.22"
},
{
"fixed": "1.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-42503"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-14T19:35:27Z",
"nvd_published_at": "2023-09-14T08:15:08Z",
"severity": "MODERATE"
},
"details": "Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress:\u00a0from 1.22 before 1.24.0.\n\nUsers are recommended to upgrade to version 1.24.0, which fixes the issue.\n\nA third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.\n\nIn version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example \u201c1647221103.5998539\u201d). The impacted fields are \u201catime\u201d, \u201cctime\u201d, \u201cmtime\u201d and \u201cLIBARCHIVE.creationtime\u201d. No input validation is performed prior to the parsing of header values.\n\nParsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as \u201c9e9999999\u201d) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].\n\n[1]: https://issues.apache.org/jira/browse/COMPRESS-612 \n[2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 \n[3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html \n[4]: https://bugs.openjdk.org/browse/JDK-6560193 \n[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 \n\nOnly applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.",
"id": "GHSA-cgwf-w82q-5jrr",
"modified": "2025-02-13T19:13:03Z",
"published": "2023-09-14T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42503"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-compress"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231020-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Commons Compress denial of service vulnerability"
}
GHSA-CH68-7RVG-72GM
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32On BIG-IP LTM 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.1, the Traffic Management Microkernel (TMM) process may consume excessive resources when processing SSL traffic and client authentication are enabled on the client SSL profile.
{
"affected": [],
"aliases": [
"CVE-2020-5936"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-29T16:15:00Z",
"severity": "HIGH"
},
"details": "On BIG-IP LTM 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.1, the Traffic Management Microkernel (TMM) process may consume excessive resources when processing SSL traffic and client authentication are enabled on the client SSL profile.",
"id": "GHSA-ch68-7rvg-72gm",
"modified": "2022-05-24T17:32:42Z",
"published": "2022-05-24T17:32:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5936"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K44020030"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CH7H-W2MM-GM7M
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2025-02-28 15:30A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2021-3735"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-667"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-ch7h-w2mm-gm7m",
"modified": "2025-02-28T15:30:57Z",
"published": "2022-08-27T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3735"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3735"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1997184"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2021-3735"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250228-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CH7X-55JF-9FGX
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.
{
"affected": [],
"aliases": [
"CVE-2016-9596"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-16T20:29:00Z",
"severity": "MODERATE"
},
"details": "libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.",
"id": "GHSA-ch7x-55jf-9fgx",
"modified": "2022-05-13T01:13:27Z",
"published": "2022-05-13T01:13:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9596"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1408302"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CH88-C67Q-65R9
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-18 16:52A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py of the component cheshire_cat_core. This manipulation causes resource consumption. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ai-agents"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.52"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8319"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T16:52:52Z",
"nvd_published_at": "2026-05-11T20:25:48Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py of the component cheshire_cat_core. This manipulation causes resource consumption. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-ch88-c67q-65r9",
"modified": "2026-05-18T16:52:52Z",
"published": "2026-05-11T21:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8319"
},
{
"type": "WEB",
"url": "https://github.com/aiwaves-cn/agents/issues/219"
},
{
"type": "PACKAGE",
"url": "https://github.com/aiwaves-cn/agents"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/811274"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/362606"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/362606/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "aiwaves-cn agents is vulnerable to resource consumption in the recall_relevant_memories_to_working_memory function"
}
GHSA-CHF7-Q7M5-FQ92
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:29In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the api/v1/utils/code/format endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "open-webui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.32"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-12537"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T17:29:26Z",
"nvd_published_at": "2025-03-20T10:15:29Z",
"severity": "HIGH"
},
"details": "In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.",
"id": "GHSA-chf7-q7m5-fq92",
"modified": "2025-03-21T17:29:27Z",
"published": "2025-03-20T12:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12537"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-webui/open-webui"
},
{
"type": "WEB",
"url": "https://github.com/open-webui/open-webui/blob/e8babe62bc8e466be0367703fd062a981f5c2394/src/lib/apis/utils/index.ts#L25-L56"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/edabd06c-acc0-428c-a481-271f333755bc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Open WebUI Uncontrolled Resource Consumption vulnerability"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.