Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5423 vulnerabilities reference this CWE, most recent first.

GHSA-CMJJ-4JJR-C8VV

Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15
VLAI
Details

The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-1779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-01-12T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section.",
  "id": "GHSA-cmjj-4jjr-c8vv",
  "modified": "2022-05-13T01:15:00Z",
  "published": "2022-05-13T01:15:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1779"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1931"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1943"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2015-1779"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1199572"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04895.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04896.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201602-01"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154656.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155196.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00042.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1931.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1943.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2015/dsa-3259"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/03/24/9"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/04/09/6"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/73303"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1033975"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2608-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMQ9-P2JC-99CW

Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32
VLAI
Details

Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21207"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-14T18:15:32Z",
    "severity": "HIGH"
  },
  "details": "Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability",
  "id": "GHSA-cmq9-p2jc-99cw",
  "modified": "2025-01-14T18:32:02Z",
  "published": "2025-01-14T18:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21207"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21207"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMV9-RHXG-F4XC

Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06
VLAI
Details

An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26652"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-22T19:16:19Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.",
  "id": "GHSA-cmv9-rhxg-f4xc",
  "modified": "2024-04-04T07:06:34Z",
  "published": "2023-08-22T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aircrack-ng/rtl8812au/issues/730"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMW4-GVF3-7PV4

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:07
VLAI
Details

A vulnerability in the web-based management interface of Cisco IC3000 Industrial Compute Gateway could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability exists because the affected software improperly manages system resources. An attacker could exploit this vulnerability by opening a large number of simultaneous sessions on the web-based management interface of an affected device. A successful exploit could allow the attacker to cause a DoS condition of the web-based management interface, preventing normal management operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco IC3000 Industrial Compute Gateway could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability exists because the affected software improperly manages system resources. An attacker could exploit this vulnerability by opening a large number of simultaneous sessions on the web-based management interface of an affected device. A successful exploit could allow the attacker to cause a DoS condition of the web-based management interface, preventing normal management operations.",
  "id": "GHSA-cmw4-gvf3-7pv4",
  "modified": "2024-04-04T02:07:44Z",
  "published": "2022-05-24T16:57:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12714"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-ic3000-icg-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CP3V-GFW2-FM24

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

In all Qualcomm products with Android releases from CAF using the Linux kernel, if there is more than one thread doing the device open operation, the device may be opened more than once. This would lead to get_pid being called more than once, however put_pid being called only once in function "msm_close".

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-21T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "In all Qualcomm products with Android releases from CAF using the Linux kernel, if there is more than one thread doing the device open operation, the device may be opened more than once. This would lead to get_pid being called more than once, however put_pid being called only once in function \"msm_close\".",
  "id": "GHSA-cp3v-gfw2-fm24",
  "modified": "2022-05-13T01:47:23Z",
  "published": "2022-05-13T01:47:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8247"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-09-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100658"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CP7P-C3XV-F5G5

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-05-24 17:05
VLAI
Details

GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-08T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "GNU LibreDWG 0.9.3.2564 has an attempted excessive memory allocation in read_sections_map in decode_r2007.c.",
  "id": "GHSA-cp7p-c3xv-f5g5",
  "modified": "2022-05-24T17:05:55Z",
  "published": "2022-05-24T17:05:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6610"
    },
    {
      "type": "WEB",
      "url": "https://github.com/LibreDWG/libredwg/issues/179#issuecomment-570447120"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00046.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00052.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-CPF9-PH2J-CCR9

Vulnerability from github – Published: 2026-04-16 21:09 – Updated: 2026-04-24 20:48
VLAI
Summary
zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing
Details

Summary endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.

  • Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.
  • Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
  • Privileges Required: None — reached before JWT validation or any authentication check.
  • User Interaction: None.
  • Scope: Unchanged — impact is confined to the affected proxy process.
  • Confidentiality Impact: None.
  • Integrity Impact: None.

Availability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.

Affected Components - endpoints/oauthCookies.go — GetSessionCookie (line 81) - endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth - endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openziti/zrok"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openziti/zrok/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:09:08Z",
    "nvd_published_at": "2026-04-17T21:16:35Z",
    "severity": "HIGH"
  },
  "details": "**Summary**\nendpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.\n\n- Attack Vector: Network \u2014 exploitable via a single HTTP request with a crafted Cookie header.\n- Attack Complexity: Low \u2014 no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).\n- Privileges Required: None \u2014 reached before JWT validation or any authentication check.\n- User Interaction: None.\n- Scope: Unchanged \u2014 impact is confined to the affected proxy process.\n- Confidentiality Impact: None.\n- Integrity Impact: None.\n\nAvailability Impact: High \u2014 sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.\n\n**Affected Components**\n- endpoints/oauthCookies.go \u2014 GetSessionCookie (line 81)\n- endpoints/publicProxy/authOAuth.go \u2014 handleOAuth (line 50) \u2014 call site, pre-auth\n- endpoints/dynamicProxy/cookies.go \u2014 getSessionCookie (line 29) \u2014 call site",
  "id": "GHSA-cpf9-ph2j-ccr9",
  "modified": "2026-04-24T20:48:49Z",
  "published": "2026-04-16T21:09:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40303"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openziti/zrok"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing"
}

GHSA-CPH5-3PGR-C82G

Vulnerability from github – Published: 2024-10-31 20:37 – Updated: 2024-11-04 13:48
VLAI
Summary
Gnark out-of-memory during deserialization with crafted inputs
Details

Thanks @pventuzelo for reporting.

From the correspondence:

Hi,

We (Fuzzinglabs & Lambdaclass) found that during deserialization of certain files representing a VerifyingKey, an excessive memory allocation is happening consuming a lot of resources and even triggering a crash with the error fatal error: runtime: out of memory.

Please find the details below:

Vulnerability Details

  • Severity: Critical -> DoS
  • Affected Component: Deserialization

Environment

  • Compiler Version: go version go1.22.2 linux/amd64
  • Distro Version: Ubuntu 24.04.1 LTS

  • Additional Environment Details:

  • [github.com/consensys/gnark](http://github.com/consensys/gnark) v0.11.0
  • [github.com/consensys/gnark-crypto](http://github.com/consensys/gnark-crypto) v0.14.1-0.20240909142611-e6b99e74cec1

Steps to Reproduce

You can download the needed files here: https://drive.google.com/drive/folders/1KQ5I3vv4bUllvqbatGappwbAkIcR2NI_?usp=sharing

You have to run

shell go run gnark_poc.go

in a terminal.

Running the provided code will result in a memory crash or an extremely large memory allocation, which can be observed using the following command:

shell go tool pprof -web mem.pprof

Root Cause Analysis

The provided code loads a VerifyingKey from old.vk by calling the ReadFrom function. This function is implemented in backend/groth16/bn254/marshal.go within the gnark library.

The provided example uses the elliptic curve BN-254, so the code resides in the backend/groth16/bn254/ repertory. However, the same error exists in other repertories, such as backend/groth16/bls12-377/.

At line 207, a slice is allocated with a length of nbCommitments. This variable is directly extracted from the deserialized file, which, in our case, has a value of 2,327,186,600. This large value may be too big for some configurations, leading to memory allocations of approximately ±1 TB, as observed with pprof.

Detailed Behavior

shell go run gnark_poc.go

``` fatal error: runtime: out of memory

runtime stack: runtime.throw({0x5fe946?, 0x2052ae?}) /usr/lib/go-1.22/src/runtime/panic.go:1023 +0x5c fp=0x7ffd65b321a0 sp=0x7ffd65b32170 pc=0x438a9c runtime.sysMapOS(0xc000400000, 0x8ab6400000) /usr/lib/go-1.22/src/runtime/mem_linux.go:167 +0x11b fp=0x7ffd65b321e0 sp=0x7ffd65b321a0 pc=0x418bbb runtime.sysMap(0xc000400000, 0x8ab6400000, 0x7b19c8?) /usr/lib/go-1.22/src/runtime/mem.go:155 +0x34 fp=0x7ffd65b32200 sp=0x7ffd65b321e0 pc=0x418634 runtime.(mheap).grow(0x7a17c0, 0x455b066?) /usr/lib/go-1.22/src/runtime/mheap.go:1534 +0x236 fp=0x7ffd65b32270 sp=0x7ffd65b32200 pc=0x42b176 runtime.(mheap).allocSpan(0x7a17c0, 0x455b066, 0x0, 0x1) /usr/lib/go-1.22/src/runtime/mheap.go:1246 +0x1b0 fp=0x7ffd65b32310 sp=0x7ffd65b32270 pc=0x42a850 runtime.(*mheap).alloc.func1() /usr/lib/go-1.22/src/runtime/mheap.go:964 +0x5c fp=0x7ffd65b32358 sp=0x7ffd65b32310 pc=0x42a2fc runtime.systemstack(0x46d79f) /usr/lib/go-1.22/src/runtime/asm_amd64.s:509 +0x4a fp=0x7ffd65b32368 sp=0x7ffd65b32358 pc=0x46912a

goroutine 1 gp=0xc0000061c0 m=0 mp=0x798ca0 [running]: runtime.systemstack_switch() /usr/lib/go-1.22/src/runtime/asm_amd64.s:474 +0x8 fp=0xc000031b68 sp=0xc000031b58 pc=0x4690c8 runtime.(mheap).alloc(0x5bc040?, 0xc00012bb08?, 0xa0?) /usr/lib/go-1.22/src/runtime/mheap.go:958 +0x5b fp=0xc000031bb0 sp=0xc000031b68 pc=0x42a25b runtime.(mcache).allocLarge(0xc000126510?, 0x8ab60ca800, 0x1) /usr/lib/go-1.22/src/runtime/mcache.go:234 +0x87 fp=0xc000031c00 sp=0xc000031bb0 pc=0x4176e7 runtime.mallocgc(0x8ab60ca800, 0x5d92a0, 0x1) /usr/lib/go-1.22/src/runtime/malloc.go:1165 +0x597 fp=0xc000031c88 sp=0xc000031c00 pc=0x40ef97 runtime.makeslice(0xc00011c180?, 0x0?, 0x2?) /usr/lib/go-1.22/src/runtime/slice.go:107 +0x49 fp=0xc000031cb0 sp=0xc000031c88 pc=0x4500c9 github.com/consensys/gnark/backend/groth16/bn254.(*VerifyingKey).readFrom(0xc0001b7088 /home/raunan/go/pkg/mod/github.com/!ronan!thoraval/gnark@v0.0.0-20241007163125-4c0a7511c3d1/backend/groth16/bn254/marshal.go:214 +0x765 fp=0xc000031ea8 sp=0xc000031cb0 pc=0x59b205 github.com/consensys/gnark/backend/groth16/bn254.(*VerifyingKey).ReadFrom(0x100469020 /home/raunan/go/pkg/mod/github.com/!ronan!thoraval/gnark@v0.0.0-20241007163125-4c0a7511c3d1/backend/groth16/bn254/marshal.go:166 +0x1f fp=0xc000031ed8 sp=0xc000031ea8 pc=0x59aa5f main.main() /home/raunan/gnark_poc/gnark_poc/gnark_poc.go:19 +0xba fp=0xc000031f50 sp=0xc000031ed8 pc=0x5addda runtime.main() /usr/lib/go-1.22/src/runtime/proc.go:271 +0x29d fp=0xc000031fe0 sp=0xc000031f50 pc=0x43b55d runtime.goexit({}) /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000031fe8 sp=0xc000031fe0 pc=0x46b0e1

goroutine 2 gp=0xc000006c40 m=nil [force gc (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000074fa8 sp=0xc000074f88 pc=0x43b98e runtime.goparkunlock(...) /usr/lib/go-1.22/src/runtime/proc.go:408 runtime.forcegchelper() /usr/lib/go-1.22/src/runtime/proc.go:326 +0xb3 fp=0xc000074fe0 sp=0xc000074fa8 pc=0x43b813 runtime.goexit({}) /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000074fe8 sp=0xc000074fe0 pc=0x46b0e1 created by runtime.init.6 in goroutine 1 /usr/lib/go-1.22/src/runtime/proc.go:314 +0x1a

goroutine 3 gp=0xc000007180 m=nil [GC sweep wait]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000075780 sp=0xc000075760 pc=0x43b98e runtime.goparkunlock(...) /usr/lib/go-1.22/src/runtime/proc.go:408 runtime.bgsweep(0xc0000240e0) /usr/lib/go-1.22/src/runtime/mgcsweep.go:278 +0x94 fp=0xc0000757c8 sp=0xc000075780 pc=0x426cf4 runtime.gcenable.gowrap1() /usr/lib/go-1.22/src/runtime/mgc.go:203 +0x25 fp=0xc0000757e0 sp=0xc0000757c8 pc=0x41b845 runtime.goexit({}) /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc0000757e8 sp=0xc0000757e0 pc=0x46b0e1 created by runtime.gcenable in goroutine 1 /usr/lib/go-1.22/src/runtime/mgc.go:203 +0x66

goroutine 4 gp=0xc000007340 m=nil [GC scavenge wait]: runtime.gopark(0xc0000240e0?, 0x657100?, 0x1?, 0x0?, 0xc000007340?) /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000075f78 sp=0xc000075f58 pc=0x43b98e runtime.goparkunlock(...) /usr/lib/go-1.22/src/runtime/proc.go:408 runtime.(*scavengerState).park(0x797520) /usr/lib/go-1.22/src/runtime/mgcscavenge.go:425 +0x49 fp=0xc000075fa8 sp=0xc000075f78 pc=0x4246e9 runtime.bgscavenge(0xc0000240e0) /usr/lib/go-1.22/src/runtime/mgcscavenge.go:653 +0x3c fp=0xc000075fc8 sp=0xc000075fa8 pc=0x424c7c runtime.gcenable.gowrap2() /usr/lib/go-1.22/src/runtime/mgc.go:204 +0x25 fp=0xc000075fe0 sp=0xc000075fc8 pc=0x41b7e5 runtime.goexit({}) /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000075fe8 sp=0xc000075fe0 pc=0x46b0e1 created by runtime.gcenable in goroutine 1 /usr/lib/go-1.22/src/runtime/mgc.go:204 +0xa5

goroutine 18 gp=0xc000102700 m=nil [finalizer wait]: runtime.gopark(0xc000074648?, 0x40f445?, 0xa8?, 0x1?, 0xc0000061c0?) /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000074620 sp=0xc000074600 pc=0x43b98e runtime.runfinq() /usr/lib/go-1.22/src/runtime/mfinal.go:194 +0x107 fp=0xc0000747e0 sp=0xc000074620 pc=0x41a887 runtime.goexit({}) /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc0000747e8 sp=0xc0000747e0 pc=0x46b0e1 created by runtime.createfing in goroutine 1 /usr/lib/go-1.22/src/runtime/mfinal.go:164 +0x3d exit status 2 ```

Appendices

This problem can also happen with ProvingKey.

Impact

Prover and verifier denial of service in case of maliciously crafted inputs (public key, verification key).

Patches

The issue is patched in https://github.com/Consensys/gnark/pull/1307. It was merged to gnark master at https://github.com/Consensys/gnark/commit/47ae846339add2bdf9983e499342bfdfe195191d. The fix will be incorporated in the next minor release of gnark (v0.11.1).

Workarounds

There are no convenient work-arounds currently. The best approach currently is to run key verification as a separate service which halts the verification pipeline in case of OOM when verification keys come from untrusted sources.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.11.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/consensys/gnark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-50354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-31T20:37:00Z",
    "nvd_published_at": "2024-10-31T16:15:05Z",
    "severity": "MODERATE"
  },
  "details": "Thanks @pventuzelo for reporting.\n\nFrom the correspondence:\n\n\u003e Hi,\n\u003e \n\u003e We (Fuzzinglabs \u0026 Lambdaclass) found that during deserialization of certain files representing a `VerifyingKey`, an excessive memory allocation is happening consuming a lot of resources and even triggering a crash with the error `fatal error: runtime: out of memory`.\n\u003e \n\u003e Please find the details below:\n\u003e \n\u003e ## Vulnerability Details\n\u003e \n\u003e - **Severity:** Critical -\u003e DoS\n\u003e - **Affected Component:** Deserialization\n\u003e \n\u003e ## Environment\n\u003e \n\u003e - **Compiler Version:** go version go1.22.2 linux/amd64\n\u003e - **Distro Version:** Ubuntu 24.04.1 LTS\n\u003e \n\u003e - **Additional Environment Details:**\n\u003e   - `[github.com/consensys/gnark](http://github.com/consensys/gnark) v0.11.0`\n\u003e   - `[github.com/consensys/gnark-crypto](http://github.com/consensys/gnark-crypto) v0.14.1-0.20240909142611-e6b99e74cec1`\n\u003e \n\u003e ## Steps to Reproduce\n\u003e \n\u003e You can download the needed files here: https://drive.google.com/drive/folders/1KQ5I3vv4bUllvqbatGappwbAkIcR2NI_?usp=sharing\n\u003e \n\u003e You have to run\n\u003e \n\u003e ```shell\n\u003e go run gnark_poc.go\n\u003e ```\n\u003e \n\u003e in a terminal.\n\u003e \n\u003e Running the provided code will result in a memory crash or an extremely large memory allocation, which can be observed using the following command:\n\u003e \n\u003e ```shell\n\u003e go tool pprof -web mem.pprof\n\u003e ```\n\u003e \n\u003e ## Root Cause Analysis\n\u003e \n\u003e The provided code loads a `VerifyingKey` from `old.vk` by calling the `ReadFrom` function. This function is implemented in [backend/groth16/bn254/marshal.go](https://github.com/Consensys/gnark/blob/ca8e1568f47ae6b717eda0a6734d87645edaecf7/backend/groth16/bn254/marshal.go#L174C2-L174C25) within the [gnark](https://github.com/Consensys/gnark) library.\n\u003e \n\u003e The provided example uses the elliptic curve BN-254, so the code resides in the [backend/groth16/bn254/](https://github.com/Consensys/gnark/blob/ca8e1568f47ae6b717eda0a6734d87645edaecf7/backend/groth16/bn254/) repertory. However, the same error exists in other repertories, such as [backend/groth16/bls12-377/](https://github.com/Consensys/gnark/blob/ca8e1568f47ae6b717eda0a6734d87645edaecf7/backend/groth16/bls12-377/).\n\u003e \n\u003e At [line 207](https://github.com/Consensys/gnark/blob/ca8e1568f47ae6b717eda0a6734d87645edaecf7/backend/groth16/bn254/marshal.go#L207), a slice is allocated with a length of `nbCommitments`. This variable is directly extracted from the deserialized file, which, in our case, has a value of `2,327,186,600`. This large value may be too big for some configurations, leading to memory allocations of approximately \u00b11\u202fTB, as observed with `pprof`.\n\u003e \n\u003e ## Detailed Behavior\n\u003e \n\u003e ```shell\n\u003e go run gnark_poc.go\n\u003e ```\n\u003e \n\u003e ```\n\u003e fatal error: runtime: out of memory\n\u003e \n\u003e runtime stack:\n\u003e runtime.throw({0x5fe946?, 0x2052ae?})\n\u003e /usr/lib/go-1.22/src/runtime/panic.go:1023 +0x5c fp=0x7ffd65b321a0 sp=0x7ffd65b32170 pc=0x438a9c\n\u003e runtime.sysMapOS(0xc000400000, 0x8ab6400000)\n\u003e /usr/lib/go-1.22/src/runtime/mem_linux.go:167 +0x11b fp=0x7ffd65b321e0 sp=0x7ffd65b321a0 pc=0x418bbb\n\u003e runtime.sysMap(0xc000400000, 0x8ab6400000, 0x7b19c8?)\n\u003e /usr/lib/go-1.22/src/runtime/mem.go:155 +0x34 fp=0x7ffd65b32200 sp=0x7ffd65b321e0 pc=0x418634\n\u003e runtime.(*mheap).grow(0x7a17c0, 0x455b066?)\n\u003e /usr/lib/go-1.22/src/runtime/mheap.go:1534 +0x236 fp=0x7ffd65b32270 sp=0x7ffd65b32200 pc=0x42b176\n\u003e runtime.(*mheap).allocSpan(0x7a17c0, 0x455b066, 0x0, 0x1)\n\u003e /usr/lib/go-1.22/src/runtime/mheap.go:1246 +0x1b0 fp=0x7ffd65b32310 sp=0x7ffd65b32270 pc=0x42a850\n\u003e runtime.(*mheap).alloc.func1()\n\u003e /usr/lib/go-1.22/src/runtime/mheap.go:964 +0x5c fp=0x7ffd65b32358 sp=0x7ffd65b32310 pc=0x42a2fc\n\u003e runtime.systemstack(0x46d79f)\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:509 +0x4a fp=0x7ffd65b32368 sp=0x7ffd65b32358 pc=0x46912a\n\u003e \n\u003e goroutine 1 gp=0xc0000061c0 m=0 mp=0x798ca0 [running]:\n\u003e runtime.systemstack_switch()\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:474 +0x8 fp=0xc000031b68 sp=0xc000031b58 pc=0x4690c8\n\u003e runtime.(*mheap).alloc(0x5bc040?, 0xc00012bb08?, 0xa0?)\n\u003e /usr/lib/go-1.22/src/runtime/mheap.go:958 +0x5b fp=0xc000031bb0 sp=0xc000031b68 pc=0x42a25b\n\u003e runtime.(*mcache).allocLarge(0xc000126510?, 0x8ab60ca800, 0x1)\n\u003e /usr/lib/go-1.22/src/runtime/mcache.go:234 +0x87 fp=0xc000031c00 sp=0xc000031bb0 pc=0x4176e7\n\u003e runtime.mallocgc(0x8ab60ca800, 0x5d92a0, 0x1)\n\u003e /usr/lib/go-1.22/src/runtime/malloc.go:1165 +0x597 fp=0xc000031c88 sp=0xc000031c00 pc=0x40ef97\n\u003e runtime.makeslice(0xc00011c180?, 0x0?, 0x2?)\n\u003e /usr/lib/go-1.22/src/runtime/slice.go:107 +0x49 fp=0xc000031cb0 sp=0xc000031c88 pc=0x4500c9\n\u003e [github.com/consensys/gnark/backend/groth16/bn254.(*VerifyingKey).readFrom(0xc0001b7088](http://github.com/consensys/gnark/backend/groth16/bn254.(*VerifyingKey).readFrom(0xc0001b7088), {0x6598a0, 0xc00011dc50}, 0x0)\n\u003e /home/raunan/go/pkg/mod/[github.com/!ronan!thoraval/gnark@v0.0.0-20241007163125-4c0a7511c3d1/backend/groth16/bn254/marshal.go:214](http://github.com/!ronan!thoraval/gnark@v0.0.0-20241007163125-4c0a7511c3d1/backend/groth16/bn254/marshal.go:214) +0x765 fp=0xc000031ea8 sp=0xc000031cb0 pc=0x59b205\n\u003e [github.com/consensys/gnark/backend/groth16/bn254.(*VerifyingKey).ReadFrom(0x100469020](http://github.com/consensys/gnark/backend/groth16/bn254.(*VerifyingKey).ReadFrom(0x100469020)?, {0x6598a0?, 0xc00011dc50?})\n\u003e /home/raunan/go/pkg/mod/[github.com/!ronan!thoraval/gnark@v0.0.0-20241007163125-4c0a7511c3d1/backend/groth16/bn254/marshal.go:166](http://github.com/!ronan!thoraval/gnark@v0.0.0-20241007163125-4c0a7511c3d1/backend/groth16/bn254/marshal.go:166) +0x1f fp=0xc000031ed8 sp=0xc000031ea8 pc=0x59aa5f\n\u003e main.main()\n\u003e /home/raunan/gnark_poc/gnark_poc/gnark_poc.go:19 +0xba fp=0xc000031f50 sp=0xc000031ed8 pc=0x5addda\n\u003e runtime.main()\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:271 +0x29d fp=0xc000031fe0 sp=0xc000031f50 pc=0x43b55d\n\u003e runtime.goexit({})\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000031fe8 sp=0xc000031fe0 pc=0x46b0e1\n\u003e \n\u003e goroutine 2 gp=0xc000006c40 m=nil [force gc (idle)]:\n\u003e runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000074fa8 sp=0xc000074f88 pc=0x43b98e\n\u003e runtime.goparkunlock(...)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:408\n\u003e runtime.forcegchelper()\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:326 +0xb3 fp=0xc000074fe0 sp=0xc000074fa8 pc=0x43b813\n\u003e runtime.goexit({})\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000074fe8 sp=0xc000074fe0 pc=0x46b0e1\n\u003e created by runtime.init.6 in goroutine 1\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:314 +0x1a\n\u003e \n\u003e goroutine 3 gp=0xc000007180 m=nil [GC sweep wait]:\n\u003e runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000075780 sp=0xc000075760 pc=0x43b98e\n\u003e runtime.goparkunlock(...)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:408\n\u003e runtime.bgsweep(0xc0000240e0)\n\u003e /usr/lib/go-1.22/src/runtime/mgcsweep.go:278 +0x94 fp=0xc0000757c8 sp=0xc000075780 pc=0x426cf4\n\u003e runtime.gcenable.gowrap1()\n\u003e /usr/lib/go-1.22/src/runtime/mgc.go:203 +0x25 fp=0xc0000757e0 sp=0xc0000757c8 pc=0x41b845\n\u003e runtime.goexit({})\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc0000757e8 sp=0xc0000757e0 pc=0x46b0e1\n\u003e created by runtime.gcenable in goroutine 1\n\u003e /usr/lib/go-1.22/src/runtime/mgc.go:203 +0x66\n\u003e \n\u003e goroutine 4 gp=0xc000007340 m=nil [GC scavenge wait]:\n\u003e runtime.gopark(0xc0000240e0?, 0x657100?, 0x1?, 0x0?, 0xc000007340?)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000075f78 sp=0xc000075f58 pc=0x43b98e\n\u003e runtime.goparkunlock(...)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:408\n\u003e runtime.(*scavengerState).park(0x797520)\n\u003e /usr/lib/go-1.22/src/runtime/mgcscavenge.go:425 +0x49 fp=0xc000075fa8 sp=0xc000075f78 pc=0x4246e9\n\u003e runtime.bgscavenge(0xc0000240e0)\n\u003e /usr/lib/go-1.22/src/runtime/mgcscavenge.go:653 +0x3c fp=0xc000075fc8 sp=0xc000075fa8 pc=0x424c7c\n\u003e runtime.gcenable.gowrap2()\n\u003e /usr/lib/go-1.22/src/runtime/mgc.go:204 +0x25 fp=0xc000075fe0 sp=0xc000075fc8 pc=0x41b7e5\n\u003e runtime.goexit({})\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc000075fe8 sp=0xc000075fe0 pc=0x46b0e1\n\u003e created by runtime.gcenable in goroutine 1\n\u003e /usr/lib/go-1.22/src/runtime/mgc.go:204 +0xa5\n\u003e \n\u003e goroutine 18 gp=0xc000102700 m=nil [finalizer wait]:\n\u003e runtime.gopark(0xc000074648?, 0x40f445?, 0xa8?, 0x1?, 0xc0000061c0?)\n\u003e /usr/lib/go-1.22/src/runtime/proc.go:402 +0xce fp=0xc000074620 sp=0xc000074600 pc=0x43b98e\n\u003e runtime.runfinq()\n\u003e /usr/lib/go-1.22/src/runtime/mfinal.go:194 +0x107 fp=0xc0000747e0 sp=0xc000074620 pc=0x41a887\n\u003e runtime.goexit({})\n\u003e /usr/lib/go-1.22/src/runtime/asm_amd64.s:1695 +0x1 fp=0xc0000747e8 sp=0xc0000747e0 pc=0x46b0e1\n\u003e created by runtime.createfing in goroutine 1\n\u003e /usr/lib/go-1.22/src/runtime/mfinal.go:164 +0x3d\n\u003e exit status 2\n\u003e ```\n\u003e \n\u003e ## Appendices\n\u003e \n\u003e This problem can also happen with `ProvingKey`.\n\n### Impact\n\nProver and verifier denial of service in case of maliciously crafted inputs (public key, verification key).\n\n### Patches\n\nThe issue is patched in https://github.com/Consensys/gnark/pull/1307. It was merged to gnark master at https://github.com/Consensys/gnark/commit/47ae846339add2bdf9983e499342bfdfe195191d. The fix will be incorporated in the next minor release of gnark (v0.11.1).\n\n### Workarounds\n\nThere are no convenient work-arounds currently. The best approach currently is to run key verification as a separate service which halts the verification pipeline in case of OOM when verification keys come from untrusted sources.",
  "id": "GHSA-cph5-3pgr-c82g",
  "modified": "2024-11-04T13:48:55Z",
  "published": "2024-10-31T20:37:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark/security/advisories/GHSA-cph5-3pgr-c82g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50354"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark/pull/1307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Consensys/gnark/commit/47ae846339add2bdf9983e499342bfdfe195191d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Consensys/gnark"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-cph5-3pgr-c82g"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gnark out-of-memory during deserialization with crafted inputs"
}

GHSA-CPH5-M8F7-6C5X

Vulnerability from github – Published: 2021-09-01 18:23 – Updated: 2022-09-14 21:28
VLAI
Summary
axios Inefficient Regular Expression Complexity vulnerability
Details

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-01T18:14:02Z",
    "nvd_published_at": "2021-08-31T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.",
  "id": "GHSA-cph5-m8f7-6c5x",
  "modified": "2022-09-14T21:28:32Z",
  "published": "2021-09-01T18:23:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/axios"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "axios Inefficient Regular Expression Complexity vulnerability"
}

GHSA-CPJV-M49G-H8M9

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-674"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-05T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service.",
  "id": "GHSA-cpjv-m49g-h8m9",
  "modified": "2022-05-13T01:38:26Z",
  "published": "2022-05-13T01:38:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0886"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/174524"
    },
    {
      "type": "WEB",
      "url": "https://nextcloud.com/security/advisory/?id=nc-sa-2017-004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.