Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-F44P-C7W9-7XR7

Vulnerability from github – Published: 2026-03-31 23:54 – Updated: 2026-04-28 18:22
VLAI
Summary
OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades
Details

Summary

The gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.

Impact

An unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients.

Affected Component

src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit cb5f7e201f (gateway: cap concurrent pre-auth websocket upgrades).

Discovered by:Topsec AlphaLab (wang dong)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:54:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe gateway accepted unbounded concurrent unauthenticated WebSocket upgrades before allocating them to an authenticated session budget.\n\n## Impact\n\nAn unauthenticated network attacker could consume socket and worker capacity and disrupt WebSocket availability for legitimate clients.\n\n## Affected Component\n\n`src/gateway/server-http.ts, src/gateway/server/preauth-connection-budget.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `cb5f7e201f` (`gateway: cap concurrent pre-auth websocket upgrades`).\n\nDiscovered by\uff1aTopsec AlphaLab (wang dong)",
  "id": "GHSA-f44p-c7w9-7xr7",
  "modified": "2026-04-28T18:22:27Z",
  "published": "2026-03-31T23:54:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f44p-c7w9-7xr7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/cb5f7e201f3f86ad70e199ef850e636b4cc457ba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Gateway WebSocket Denial of Service via unbounded pre-auth upgrades"
}

GHSA-F44Q-634C-JVWV

Vulnerability from github – Published: 2022-12-07 23:23 – Updated: 2023-07-14 21:52
VLAI
Summary
libp2p DoS vulnerability from lack of resource management
Details

Impact

Versions older than v0.38.0 of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host’s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.

Patches (What to do as a js-libp2p consumer:)

Update your js-libp2p dependency to v0.38.0 or greater.

Workarounds

There are no workarounds, and so we recommend to upgrade your js-libp2p version. Some range of attacks can be mitigated using OS tools (like manually blocking malicious peers using iptables or ufw ) or making use of a load balancer in front of libp2p nodes. You can also use the allow deny list in js-libp2p to deny specific peers.

However these require direct action & responsibility on your part and are no substitutes for upgrading js-libp2p. Therefore, we highly recommend upgrading your js-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about js-libp2p resource utilization.

References

  • DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/.
  • Documentation on how to configure limits to prevent excessive resource consumption: https://github.com/libp2p/js-libp2p/blob/master/doc/LIMITS.md
  • Documentation on how to configure metrics: https://github.com/libp2p/js-libp2p/blob/master/doc/METRICS.md

Please see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and rust-libp2p: https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8

For more information

If you have any questions or comments about this advisory, please email us at security@libp2p.io.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "libp2p"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-07T23:23:59Z",
    "nvd_published_at": "2022-12-07T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nVersions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p\u2019s connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory, ultimately leading to the process getting killed by the host\u2019s operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of js-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack.\n\n### Patches (What to do as a js-libp2p consumer:)\nUpdate your js-libp2p dependency to `v0.38.0` or greater.\n\n### Workarounds\nThere are no workarounds, and so we recommend to upgrade your js-libp2p version.\nSome range of attacks can be mitigated using OS tools (like manually blocking malicious peers using iptables or ufw ) or making use of a load balancer in front of libp2p nodes.\nYou can also use the [allow deny list in js-libp2p](https://docs.libp2p.io/concepts/security/dos-mitigation/#deny-specific-peers-or-create-an-allow-list-of-trusted-peers) to deny specific peers.\n\nHowever these require direct action \u0026 responsibility on your part and are no substitutes for upgrading js-libp2p. Therefore, we highly recommend upgrading your js-libp2p version for the way it enables tighter scoped limits and provides visibility into and easier reasoning about js-libp2p resource utilization.\n\n### References\n* DoS Mitigation page for more information on how to incorporate mitigation strategies, monitor your application, and respond to attacks: https://docs.libp2p.io/reference/dos-mitigation/. \n* Documentation on how to configure limits to prevent excessive resource consumption: https://github.com/libp2p/js-libp2p/blob/master/doc/LIMITS.md\n* Documentation on how to configure metrics: https://github.com/libp2p/js-libp2p/blob/master/doc/METRICS.md\n\nPlease see the related disclosure for go-libp2p: https://github.com/libp2p/go-libp2p/security/advisories/GHSA-j7qp-mfxf-8xjw and rust-libp2p: https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-jvgw-gccv-q5p8 \n\n#### For more information\n\nIf you have any questions or comments about this advisory, please email us at [security@libp2p.io](mailto:security@libp2p.io).",
  "id": "GHSA-f44q-634c-jvwv",
  "modified": "2023-07-14T21:52:56Z",
  "published": "2022-12-07T23:23:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23487"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/js-libp2p"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "libp2p DoS vulnerability from lack of resource management"
}

GHSA-F46H-MH94-F4W2

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-10-25 19:00
VLAI
Details

Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22553"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-772"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-17T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "Any git operation is passed through Jetty and a session is created. No expiry is set for the session and Jetty does not automatically dispose of the session. Over multiple git actions, this can lead to a heap memory exhaustion for Gerrit servers. We recommend upgrading Gerrit to any of the versions listed above.",
  "id": "GHSA-f46h-mh94-f4w2",
  "modified": "2022-10-25T19:00:30Z",
  "published": "2022-05-24T17:42:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22553"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/gerrit/issues/detail?id=13858"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F48G-WQMG-9R45

Vulnerability from github – Published: 2024-08-08 12:30 – Updated: 2024-08-08 12:30
VLAI
Details

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-08T11:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch.",
  "id": "GHSA-f48g-wqmg-9r45",
  "modified": "2024-08-08T12:30:35Z",
  "published": "2024-08-08T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7610"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/468917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F499-J7P4-WM44

Vulnerability from github – Published: 2026-03-26 18:31 – Updated: 2026-03-26 18:31
VLAI
Details

Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T17:16:42Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost Plugins versions \u003c=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589",
  "id": "GHSA-f499-j7p4-wm44",
  "modified": "2026-03-26T18:31:42Z",
  "published": "2026-03-26T18:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3116"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4JQ-8GQC-63V2

Vulnerability from github – Published: 2025-02-13 00:33 – Updated: 2025-02-14 18:30
VLAI
Details

An issue in the profile image upload function of LearnDash v6.7.1 allows attackers to cause a Denial of Service (DoS) via excessive file uploads.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-12T22:15:40Z",
    "severity": "HIGH"
  },
  "details": "An issue in the profile image upload function of LearnDash v6.7.1 allows attackers to cause a Denial of Service (DoS) via excessive file uploads.",
  "id": "GHSA-f4jq-8gqc-63v2",
  "modified": "2025-02-14T18:30:49Z",
  "published": "2025-02-13T00:33:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nikolas-ch/CVEs/tree/main/LearnDash_v6.7.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4W8-CV6P-X6R5

Vulnerability from github – Published: 2021-03-18 19:55 – Updated: 2025-08-15 13:58
VLAI
Summary
Pillow Denial of Service by Uncontrolled Resource Consumption
Details

Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Pillow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-27921"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T23:35:22Z",
    "nvd_published_at": "2021-03-03T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "Pillow before 8.1.2 allows attackers to cause a denial of service (memory consumption) because the reported size of a contained image is not properly checked for a BLP container, and thus an attempted memory allocation can be very large.",
  "id": "GHSA-f4w8-cv6p-x6r5",
  "modified": "2025-08-15T13:58:12Z",
  "published": "2021-03-18T19:55:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-40.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-pillow/Pillow"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S7G44Z33J4BNI2DPDROHWGVG2U7ZH5JU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQQY6472RX4J2SUJENWDZAWKTJJGP2ML"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTSY25UJU7NJUFHH3HWT575LT4TDFWBZ"
    },
    {
      "type": "WEB",
      "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html"
    },
    {
      "type": "WEB",
      "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pillow Denial of Service by Uncontrolled Resource Consumption"
}

GHSA-F4XJ-JR64-MRRF

Vulnerability from github – Published: 2024-06-11 03:30 – Updated: 2024-06-11 03:30
VLAI
Details

SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service.

An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T03:15:10Z",
    "severity": "MODERATE"
  },
  "details": "SAP NetWeaver and ABAP platform allows an\nattacker to impede performance for legitimate users by crashing or flooding the\nservice.\n\n\n\nAn\nimpact of this Denial of Service vulnerability might be long response delays\nand service interruptions, thus degrading the service quality experienced by\nlegitimate users causing high impact on availability of the application.",
  "id": "GHSA-f4xj-jr64-mrrf",
  "modified": "2024-06-11T03:30:59Z",
  "published": "2024-06-11T03:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33001"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3453170"
    },
    {
      "type": "WEB",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4XM-W85J-GC55

Vulnerability from github – Published: 2022-05-13 01:07 – Updated: 2022-05-13 01:07
VLAI
Details

Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1000115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-05T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial of service via network flood (traffic amplification of 1:50,000 has been reported by reliable sources). This attack appear to be exploitable via network connectivity to port 11211 UDP. This vulnerability appears to have been fixed in 1.5.6 due to the disabling of the UDP protocol by default.",
  "id": "GHSA-f4xm-w85j-gc55",
  "modified": "2022-05-13T01:07:32Z",
  "published": "2022-05-13T01:07:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/memcached/memcached/issues/348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2018:2140"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1593"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1627"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2331"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2857"
    },
    {
      "type": "WEB",
      "url": "https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/memcached/memcached/wiki/ReleaseNotes156"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/dormando/status/968579781729009664"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3588-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4218"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44264"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44265"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/support/security/Synology_SA_18_07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F523-2F5J-GFCG

Vulnerability from github – Published: 2018-08-29 23:04 – Updated: 2023-09-13 19:38
VLAI
Summary
Regular Expression Denial of Service in timespan
Details

Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.

The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.

Recommendation

No direct patch is available for this vulnerability.

Currently, the best available solution is to use a functionally equivalent alternative package.

It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "timespan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:33:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `timespan` are vulnerable to a regular expression denial of service when parsing dates.\n\nThe amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.\n\n\n## Recommendation\n\nNo direct patch is available for this vulnerability.\n\nCurrently, the best available solution is to use a functionally equivalent alternative package.\n\nIt is also sufficient to ensure that user input is not being passed into `timespan`, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.",
  "id": "GHSA-f523-2f5j-gfcg",
  "modified": "2023-09-13T19:38:19Z",
  "published": "2018-08-29T23:04:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16115"
    },
    {
      "type": "WEB",
      "url": "https://github.com/indexzero/TimeSpan.js/issues/10"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-f523-2f5j-gfcg"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/533"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in timespan"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.