Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-FQJR-JWV4-CMHG

Vulnerability from github – Published: 2025-10-20 21:30 – Updated: 2025-10-21 15:30
VLAI
Details

Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-61301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-20T21:15:38Z",
    "severity": "HIGH"
  },
  "details": "Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested or oversized behavior data that trigger MongoDB BSON limits or orjson recursion errors when the sample executes in the sandbox.",
  "id": "GHSA-fqjr-jwv4-cmhg",
  "modified": "2025-10-21T15:30:56Z",
  "published": "2025-10-20T21:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eGkritsis/CVE-2025-61301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kevoreilly/CAPEv2"
    },
    {
      "type": "WEB",
      "url": "http://capev2.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR2G-FCJJ-V8HC

Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2025-11-04 00:30
VLAI
Details

A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Linux kernel. Measuring usage of the shared memory does not scale with large shared memory segment counts which could lead to resource exhaustion and DoS.",
  "id": "GHSA-fr2g-fcjj-v8hc",
  "modified": "2025-11-04T00:30:32Z",
  "published": "2022-08-27T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3669"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1975"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:1988"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-3669"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1980619"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1986473"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2021-3669"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR33-W8FM-P45J

Vulnerability from github – Published: 2022-05-14 02:08 – Updated: 2022-05-14 02:08
VLAI
Details

PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-09-26T16:59:00Z",
    "severity": "HIGH"
  },
  "details": "PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response.",
  "id": "GHSA-fr33-w8fm-p45j",
  "modified": "2022-05-14T02:08:57Z",
  "published": "2022-05-14T02:08:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PowerDNS/pdns/issues/4128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PowerDNS/pdns/issues/4133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PowerDNS/pdns/pull/4134"
    },
    {
      "type": "WEB",
      "url": "https://doc.powerdns.com/md/changelog/#powerdns-authoritative-server-401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sischkg/xfer-limit/blob/master/README.md"
    },
    {
      "type": "WEB",
      "url": "https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00085.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3664"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/07/06/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91678"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1036242"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FR44-546P-7XCP

Vulnerability from github – Published: 2023-10-10 22:23 – Updated: 2024-06-03 18:31
VLAI
Summary
MsQuic Remote Denial of Service Vulnerability
Details

Impact

The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.

Patches

The following patch was made:

  • Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/d364feeda0dd8b729eca6fef149c1ef98630f0cb

Workarounds

Beyond upgrading to the patched versions, there is no other workaround.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.Native.Quic.MsQuic.OpenSSL"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.Native.Quic.MsQuic.Schannel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36435"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-401"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-10T22:23:28Z",
    "nvd_published_at": "2023-10-10T18:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.\n\n### Patches\nThe following patch was made:\n\n- Fix Memory Leak from Multiple Decodes of TP - https://github.com/microsoft/msquic/commit/d364feeda0dd8b729eca6fef149c1ef98630f0cb\n\n### Workarounds\nBeyond upgrading to the patched versions, there is no other workaround.\n",
  "id": "GHSA-fr44-546p-7xcp",
  "modified": "2024-06-03T18:31:15Z",
  "published": "2023-10-10T22:23:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/msquic/security/advisories/GHSA-fr44-546p-7xcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36435"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/msquic/commit/d364feeda0dd8b729eca6fef149c1ef98630f0cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/msquic"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36435"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MsQuic Remote Denial of Service Vulnerability"
}

GHSA-FR49-MHGJ-CRFC

Vulnerability from github – Published: 2026-06-04 14:39 – Updated: 2026-06-09 11:53
VLAI
Summary
Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification
Details

Summary

The MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion.

Details

The current implementation of alias counting in strawberry/extensions/max_aliases.py uses a static approach

for selection in selection_set_owner.selection_set.selections: 
    if isinstance(selection, FieldNode) and selection.alias:
        result += 1

    if isinstance(selection, (FieldNode, InlineFragmentNode)) and ~~~:
        result += count_fields_with_alias(selection)

When a FragmentSpread is used multiple times, the actual number of aliases processed by the execution engine is

Total Aliases = query aliases + (num of spreads * aliases within fragment)

Because Strawberry only performs a static sum of the text, it misses this multiplication

PoC

server code

import strawberry
from fastapi import FastAPI
from strawberry.fastapi import GraphQLRouter
from strawberry.extensions import MaxAliasesLimiter

@strawberry.type
class User:
    name: str = "GONA"

@strawberry.type
class Query:
    @strawberry.field
    def user(self) -> User:
        return User()

# Limit is set to 20 aliases
schema = strawberry.Schema(
    query=Query, 
    extensions=[MaxAliasesLimiter(max_alias_count=20)]
)

app = FastAPI()
app.include_router(GraphQLRouter(schema), prefix="/graphql")

payloads

import httpx

payload = {
    "query": """
        fragment Amplification on User {
            a1: name, a2: name, a3: name, a4: name, a5: name,
            a6: name, a7: name, a8: name, a9: name, a10: name
        }
        query Bypass {
            u1: user { ...Amplification }
            u2: user { ...Amplification }
            u3: user { ...Amplification }
            u4: user { ...Amplification }
            u5: user { ...Amplification }
            u6: user { ...Amplification }
            u7: user { ...Amplification }
            u8: user { ...Amplification }
            u9: user { ...Amplification }
            u10: user { ...Amplification }
        }
    """
}

response = httpx.post("http://127.0.0.1:8000/graphql", json=payload)
print(f"Status: {response.status_code}")
# The response will contain 100 'a' aliases nested within 10 'u' aliases.
print(response.json())

Impact

An attacker can bypass security constraints to cause Application-level DOS. By staying just under the max_alias_count limit in the AST an attacker can trigger thousands of actual alias resolutions on the backend consuming excessive CPU and memory

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.315.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "strawberry-graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.172.0"
            },
            {
              "fixed": "0.315.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T14:39:42Z",
    "nvd_published_at": "2026-06-04T15:16:55Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a  dos via resource exhaustion.\n\n### Details\nThe current implementation of alias counting in strawberry/extensions/max_aliases.py uses a static approach\n```\nfor selection in selection_set_owner.selection_set.selections: \n    if isinstance(selection, FieldNode) and selection.alias:\n        result += 1\n\n    if isinstance(selection, (FieldNode, InlineFragmentNode)) and ~~~:\n        result += count_fields_with_alias(selection)\n```\n\nWhen a FragmentSpread is used multiple times, the actual number of aliases processed by the execution engine is\n\n**Total Aliases = query aliases + (num of spreads * aliases within fragment)**\n\nBecause Strawberry only performs a static sum of the text, it misses this multiplication\n\n### PoC\n**server code**\n```\nimport strawberry\nfrom fastapi import FastAPI\nfrom strawberry.fastapi import GraphQLRouter\nfrom strawberry.extensions import MaxAliasesLimiter\n\n@strawberry.type\nclass User:\n    name: str = \"GONA\"\n\n@strawberry.type\nclass Query:\n    @strawberry.field\n    def user(self) -\u003e User:\n        return User()\n\n# Limit is set to 20 aliases\nschema = strawberry.Schema(\n    query=Query, \n    extensions=[MaxAliasesLimiter(max_alias_count=20)]\n)\n\napp = FastAPI()\napp.include_router(GraphQLRouter(schema), prefix=\"/graphql\")\n```\n\n**payloads**\n```\nimport httpx\n\npayload = {\n    \"query\": \"\"\"\n        fragment Amplification on User {\n            a1: name, a2: name, a3: name, a4: name, a5: name,\n            a6: name, a7: name, a8: name, a9: name, a10: name\n        }\n        query Bypass {\n            u1: user { ...Amplification }\n            u2: user { ...Amplification }\n            u3: user { ...Amplification }\n            u4: user { ...Amplification }\n            u5: user { ...Amplification }\n            u6: user { ...Amplification }\n            u7: user { ...Amplification }\n            u8: user { ...Amplification }\n            u9: user { ...Amplification }\n            u10: user { ...Amplification }\n        }\n    \"\"\"\n}\n\nresponse = httpx.post(\"http://127.0.0.1:8000/graphql\", json=payload)\nprint(f\"Status: {response.status_code}\")\n# The response will contain 100 \u0027a\u0027 aliases nested within 10 \u0027u\u0027 aliases.\nprint(response.json())\n```\n\n### Impact\nAn attacker can bypass security constraints to cause Application-level DOS. By staying just under the max_alias_count limit in the AST an attacker can trigger thousands of actual alias resolutions on the backend consuming excessive CPU and memory",
  "id": "GHSA-fr49-mhgj-crfc",
  "modified": "2026-06-09T11:53:04Z",
  "published": "2026-06-04T14:39:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-fr49-mhgj-crfc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47707"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strawberry-graphql/strawberry"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strawberry GraphQL\u0027s Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification"
}

GHSA-FRGF-8JR5-J2JV

Vulnerability from github – Published: 2023-10-30 21:33 – Updated: 2026-06-08 23:16
VLAI
Summary
memory leak flaw was found in ruby-magick
Details

A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rmagick"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-401"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-31T19:41:15Z",
    "nvd_published_at": "2023-10-30T21:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.",
  "id": "GHSA-frgf-8jr5-j2jv",
  "modified": "2026-06-08T23:16:29Z",
  "published": "2023-10-30T21:33:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5349"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rmagick/rmagick/issues/1401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rmagick/rmagick/pull/1406"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rmagick/rmagick/commit/02f37ca0d6c2b8fff316e0668efa690f5c90a429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rmagick/rmagick/commit/fec7a7e639ae565386f7615155dbcf49b957b64a"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-5349"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247064"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-frgf-8jr5-j2jv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rmagick/rmagick"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rmagick/CVE-2023-5349.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S3XMQ2KWPYGT447EKPENGXXHKAQ5NUWF"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "memory leak flaw was found in ruby-magick"
}

GHSA-FRWV-8C9X-7766

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2025-10-22 00:31
VLAI
Details

A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.5.1 and iPadOS 13.5.1, macOS Catalina 10.15.5 Supplemental Update, tvOS 13.4.6, watchOS 6.2.6. An application may be able to execute arbitrary code with kernel privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9859"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-415"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-05T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.5.1 and iPadOS 13.5.1, macOS Catalina 10.15.5 Supplemental Update, tvOS 13.4.6, watchOS 6.2.6. An application may be able to execute arbitrary code with kernel privileges.",
  "id": "GHSA-frwv-8c9x-7766",
  "modified": "2025-10-22T00:31:55Z",
  "published": "2022-05-24T17:19:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9859"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT211214"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-9859"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRXP-7WJ7-F8M8

Vulnerability from github – Published: 2025-07-15 21:31 – Updated: 2025-07-15 21:31
VLAI
Details

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50093"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-15T20:15:45Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).  Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and  9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).",
  "id": "GHSA-frxp-7wj7-f8m8",
  "modified": "2025-07-15T21:31:42Z",
  "published": "2025-07-15T21:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50093"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV2F-RW9F-V9CM

Vulnerability from github – Published: 2026-05-15 15:30 – Updated: 2026-06-29 22:57
VLAI
Summary
smtp-server's command parser memory exhaustion denial-of-service
Details

smtp-server prior to v3.18.3 are vulnerable to unauthenticated memory exhaustion denial-of-service. smtp-server's command parser allows any remote client to consume server memory by sending data without newline characters. The server's _remainder buffer in SMTPStream._write grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash.

The _write method in lib/smtp-stream.js appends incoming TCP chunks to this._remainder in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the _remainder value will grow indefinitely, causing excess memory consumption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "smtp-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.18.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-38728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-29T22:57:15Z",
    "nvd_published_at": "2026-05-15T15:16:51Z",
    "severity": "HIGH"
  },
  "details": "smtp-server prior to v3.18.3 are vulnerable to unauthenticated memory exhaustion denial-of-service. smtp-server\u0027s command parser allows any remote client to consume server memory by sending data without newline characters. The server\u0027s `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash.\n\nThe `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.",
  "id": "GHSA-fv2f-rw9f-v9cm",
  "modified": "2026-06-29T22:57:15Z",
  "published": "2026-05-15T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/smtp-server/commit/592c5666fa0c76d1d04c1a32abad0ef806fbfe97"
    },
    {
      "type": "WEB",
      "url": "https://bytecreator.dev/blog/CVE-2026-38728"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodemailer/smtp-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/smtp-server/releases/tag/v3.18.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "smtp-server\u0027s command parser memory exhaustion denial-of-service"
}

GHSA-FV42-5HCX-5CR6

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service vulnerability exists in the Ethernet/IP server functionality of the EIP Stack Group OpENer 2.3 and development commit 8c73bf3. A large number of network requests in a small span of time can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.",
  "id": "GHSA-fv42-5hcx-5cr6",
  "modified": "2022-05-24T17:35:59Z",
  "published": "2022-05-24T17:35:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13530"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1143"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.