Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5416 vulnerabilities reference this CWE, most recent first.

GHSA-G78M-2CHM-R7QV

Vulnerability from github – Published: 2020-06-05 16:16 – Updated: 2021-08-25 21:51
VLAI
Summary
Regular Expression Denial of Service in websocket-extensions (NPM package)
Details

Impact

The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form:

Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...

That is, a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. The parser takes exponential time to reject this header as invalid, and this will block the processing of any other work on the same thread. Thus if you are running a single-threaded server, such a request can render your service completely unavailable.

Patches

Users should upgrade to version 0.1.4.

Workarounds

There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.

References

  • https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "websocket-extensions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-7662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-03T23:10:26Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe ReDoS flaw allows an attacker to exhaust the server\u0027s capacity to process\nincoming requests by sending a WebSocket handshake request containing a header\nof the following form:\n\n    Sec-WebSocket-Extensions: a; b=\"\\c\\c\\c\\c\\c\\c\\c\\c\\c\\c ...\n\nThat is, a header containing an unclosed string parameter value whose content is\na repeating two-byte sequence of a backslash and some other character. The\nparser takes exponential time to reject this header as invalid, and this will\nblock the processing of any other work on the same thread. Thus if you are\nrunning a single-threaded server, such a request can render your service\ncompletely unavailable.\n\n### Patches\n\nUsers should upgrade to version 0.1.4.\n\n### Workarounds\n\nThere are no known work-arounds other than disabling any public-facing\nWebSocket functionality you are operating.\n\n### References\n\n- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/",
  "id": "GHSA-g78m-2chm-r7qv",
  "modified": "2021-08-25T21:51:05Z",
  "published": "2020-06-05T16:16:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7662"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237"
    },
    {
      "type": "WEB",
      "url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faye/websocket-extensions-node"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in websocket-extensions (NPM package)"
}

GHSA-G7F3-828F-7H7M

Vulnerability from github – Published: 2025-10-10 22:54 – Updated: 2025-11-03 18:31
VLAI
Summary
Authlib : JWE zip=DEF decompression bomb enables DoS
Details

Summary

Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service.

Details

  • Affected component: Authlib JOSE, JWE zip=DEF (DEFLATE) support.
  • In authlib/authlib/jose/rfc7518/jwe_zips.py, DeflateZipAlgorithm.decompress calls zlib.decompress(s, -zlib.MAX_WBITS) without a maximum output limit. This permits unbounded expansion of compressed payloads.
  • In the JWE decode flow (authlib/authlib/jose/rfc7516/jwe.py), when the protected header contains "zip": "DEF", the library routes the decrypted ciphertext into the decompress method and assigns the fully decompressed bytes to the plaintext field before returning it. No streaming limit or quota is applied.
  • Because DEFLATE achieves extremely high ratios on highly repetitive input, an attacker can craft a tiny zip=DEF ciphertext that inflates to a very large plaintext during decrypt, spiking RSS and CPU. Repeated requests can starve the process or host.

Code references (from this repository version): - authlib/authlib/jose/rfc7518/jwe_zips.pyDeflateZipAlgorithm.decompress uses unbounded zlib.decompress. - authlib/authlib/jose/rfc7516/jwe.py – JWE decode path applies zip_.decompress(msg) when zip=DEF is present in the header.

Contrast: The joserfc project guards zip=DEF decompression with a fixed maximum (256 KB) and raises ExceededSizeError if output would exceed this limit, preventing the bomb. Authlib lacks such a guard in this codebase snapshot.

PoC

Environment: Python 3.10+ inside a venv; Authlib installed editable from this repository so source changes are visible. The PoC script demonstrates both a benign and a compressible-bomb payload and prints wall/CPU time, RSS, and size ratios.

1) Create venv and install Authlib (editable): Set current directory to /authlib Download jwe_deflate_dos_demo.py in /authlib

python3 -m venv .venv
.venv/bin/pip install --upgrade pip
.venv/bin/pip install -e .

2) Run the PoC (included in this repo):

.venv/bin/python /authlib/jwe_deflate_dos_demo.py --size 50 --max-rss-mb 2048

Sample output (abridged):

LOCAL TEST ONLY – do not send to third-party systems.
Runtime: Python 3.13.6 / Authlib 1.6.4 / zip=DEF via A256GCM
[CASE] normal    plaintext=13B  ciphertext=117B decompressed=13B  wall_s=0.000 cpu_s=0.000 peak_rss_mb=31.0  ratio=0.1
[CASE] malicious plaintext=50MB ciphertext=~4KB decompressed=50MB wall_s=~2.3  cpu_s=~2.2  peak_rss_mb=800+  ratio=12500+

The second case shows the decompression spike: a few KB of ciphertext forces allocation and processing of ~50 MB during decrypt. Repeated requests can quickly exhaust available memory and CPU.

Reproduction notes: - Algorithm: alg=dir, enc=A256GCM, header includes { "zip": "DEF" }. - The PoC uses a 32‑byte local symmetric key and a highly compressible payload ("A" * N). - Increase --size to stress memory; the --max-rss-mb flag helps avoid destabilizing the host during testing.

Impact

  • Effect: Denial of service (memory/CPU exhaustion) during JWE decrypt of zip=DEF tokens.
  • Who is impacted: Any service that uses Authlib to decrypt JWE tokens with zip=DEF and where an attacker can submit tokens that will be successfully decrypted (e.g., shared dir key, token reflection, or compromised/abused issuers).
  • Confidentiality/Integrity: No direct C/I impact; availability impact is high.

Severity (CVSS v3.1)

Base vector (typical shared‑secret scenario where the attacker must produce a decryptable token): - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H → 6.5 (MEDIUM)

Rationale: - Network‑reachable (AV:N), low complexity (AC:L), no user interaction (UI:N), scope unchanged (S:U). - Attacker must hold or gain ability to mint a decryptable token for the target (PR:L) — common with alg=dir and shared keys across services. - No confidentiality or integrity loss (C:N/I:N); availability is severely impacted (A:H) due to decompression expansion. If arbitrary unprivileged parties can submit JWEs that will be decrypted (PR:N), the base vector becomes: - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H → 7.5 (HIGH)

Mitigations / Workarounds

  • Reject or strip zip=DEF for inbound JWEs at the application boundary until a fix is available.
  • Fork and add a bounded decompression guard (e.g., zlib.decompress(..., max_length) via decompressobj().decompress(data, MAX_SIZE)), returning an error when output exceeds a safe limit.
  • Enforce strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.

Remediation Guidance (for maintainers)

  • Mirror joserfc’s approach: add a conservative maximum output size (e.g., 256 KB by default) and raise a specific error when exceeded; document a controlled way to raise this ceiling for trusted environments.
  • Consider streaming decode with chunked limits to avoid large single allocations.

References

  • Authlib source: authlib/authlib/jose/rfc7518/jwe_zips.py, authlib/authlib/jose/rfc7516/jwe.py
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "authlib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T22:54:03Z",
    "nvd_published_at": "2025-10-22T22:15:35Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n_Authlib\u2019s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service._\n\n### Details\n- Affected component: Authlib JOSE, JWE `zip=DEF` (DEFLATE) support.\n- In `authlib/authlib/jose/rfc7518/jwe_zips.py`, `DeflateZipAlgorithm.decompress` calls `zlib.decompress(s, -zlib.MAX_WBITS)` without a maximum output limit. This permits unbounded expansion of compressed payloads.\n- In the JWE decode flow (`authlib/authlib/jose/rfc7516/jwe.py`), when the protected header contains `\"zip\": \"DEF\"`, the library routes the decrypted ciphertext into the `decompress` method and assigns the fully decompressed bytes to the plaintext field before returning it. No streaming limit or quota is applied.\n- Because DEFLATE achieves extremely high ratios on highly repetitive input, an attacker can craft a tiny `zip=DEF` ciphertext that inflates to a very large plaintext during decrypt, spiking RSS and CPU. Repeated requests can starve the process or host.\n\nCode references (from this repository version):\n- `authlib/authlib/jose/rfc7518/jwe_zips.py` \u2013 `DeflateZipAlgorithm.decompress` uses unbounded `zlib.decompress`.\n- `authlib/authlib/jose/rfc7516/jwe.py` \u2013 JWE decode path applies `zip_.decompress(msg)` when `zip=DEF` is present in the header.\n\nContrast: The `joserfc` project guards `zip=DEF` decompression with a fixed maximum (256 KB) and raises `ExceededSizeError` if output would exceed this limit, preventing the bomb. Authlib lacks such a guard in this codebase snapshot.\n\n### PoC\nEnvironment: Python 3.10+ inside a venv; Authlib installed editable from this repository so source changes are visible. The PoC script demonstrates both a benign and a compressible-bomb payload and prints wall/CPU time, RSS, and size ratios.\n\n1) Create venv and install Authlib (editable):\nSet current directory to /authlib\nDownload [jwe_deflate_dos_demo.py](https://github.com/user-attachments/files/22519553/jwe_deflate_dos_demo.py) in /authlib\n```\npython3 -m venv .venv\n.venv/bin/pip install --upgrade pip\n.venv/bin/pip install -e .\n```\n\n2) Run the PoC (included in this repo):\n```\n.venv/bin/python /authlib/jwe_deflate_dos_demo.py --size 50 --max-rss-mb 2048\n```\n\nSample output (abridged):\n```\nLOCAL TEST ONLY \u2013 do not send to third-party systems.\nRuntime: Python 3.13.6 / Authlib 1.6.4 / zip=DEF via A256GCM\n[CASE] normal    plaintext=13B  ciphertext=117B decompressed=13B  wall_s=0.000 cpu_s=0.000 peak_rss_mb=31.0  ratio=0.1\n[CASE] malicious plaintext=50MB ciphertext=~4KB decompressed=50MB wall_s=~2.3  cpu_s=~2.2  peak_rss_mb=800+  ratio=12500+\n```\n\nThe second case shows the decompression spike: a few KB of ciphertext forces allocation and processing of ~50 MB during decrypt. Repeated requests can quickly exhaust available memory and CPU.\n\nReproduction notes:\n- Algorithm: `alg=dir`, `enc=A256GCM`, header includes `{ \"zip\": \"DEF\" }`.\n- The PoC uses a 32\u2011byte local symmetric key and a highly compressible payload (`\"A\" * N`).\n- Increase `--size` to stress memory; the `--max-rss-mb` flag helps avoid destabilizing the host during testing.\n\n### Impact\n- Effect: Denial of service (memory/CPU exhaustion) during JWE decrypt of `zip=DEF` tokens.\n- Who is impacted: Any service that uses Authlib to decrypt JWE tokens with `zip=DEF` and where an attacker can submit tokens that will be successfully decrypted (e.g., shared `dir` key, token reflection, or compromised/abused issuers).\n- Confidentiality/Integrity: No direct C/I impact; availability impact is high.\n\n### Severity (CVSS v3.1)\nBase vector (typical shared\u2011secret scenario where the attacker must produce a decryptable token):\n- `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` \u2192 6.5 (MEDIUM)\n\n**Rationale:**\n- Network\u2011reachable (AV:N), low complexity (AC:L), no user interaction (UI:N), scope unchanged (S:U).\n- Attacker must hold or gain ability to mint a decryptable token for the target (PR:L) \u2014 common with `alg=dir` and shared keys across services.\n- No confidentiality or integrity loss (C:N/I:N); availability is severely impacted (A:H) due to decompression expansion.\nIf arbitrary unprivileged parties can submit JWEs that will be decrypted (PR:N), the base vector becomes:\n- `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` \u2192 7.5 (HIGH)\n\n### Mitigations / Workarounds\n- Reject or strip `zip=DEF` for inbound JWEs at the application boundary until a fix is available.\n- Fork and add a bounded decompression guard (e.g., `zlib.decompress(..., max_length)` via `decompressobj().decompress(data, MAX_SIZE)`), returning an error when output exceeds a safe limit.\n- Enforce strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.\n\n### Remediation Guidance (for maintainers)\n- Mirror `joserfc`\u2019s approach: add a conservative maximum output size (e.g., 256 KB by default) and raise a specific error when exceeded; document a controlled way to raise this ceiling for trusted environments.\n- Consider streaming decode with chunked limits to avoid large single allocations.\n\n### References\n- Authlib source: `authlib/authlib/jose/rfc7518/jwe_zips.py`, `authlib/authlib/jose/rfc7516/jwe.py`",
  "id": "GHSA-g7f3-828f-7h7m",
  "modified": "2025-11-03T18:31:46Z",
  "published": "2025-10-10T22:54:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authlib/authlib/security/advisories/GHSA-g7f3-828f-7h7m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62706"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authlib/authlib/commit/e0863d5129316b1790eee5f14cece32a03b8184d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authlib/authlib"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00032.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authlib : JWE zip=DEF decompression bomb enables DoS"
}

GHSA-G7GR-M9C4-CG88

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-14 18:31
VLAI
Details

An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.35. If multicast streams are enabled on different interfaces, it may be possible to interrupt multicast traffic on some of these interfaces. That could result in a denial of the multicast routing service on the firewall.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27829"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T17:15:46Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Stormshield Network Security (SNS) 4.3.x before 4.3.35. If multicast streams are enabled on different interfaces, it may be possible to interrupt multicast traffic on some of these interfaces. That could result in a denial of the multicast routing service on the firewall.",
  "id": "GHSA-g7gr-m9c4-cg88",
  "modified": "2025-04-14T18:31:48Z",
  "published": "2025-04-01T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27829"
    },
    {
      "type": "WEB",
      "url": "https://advisories.stormshield.eu/2025-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7HF-55M7-JHMC

Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01
VLAI
Details

An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: through 9.4.0-191; ibi: through 9.4.0-191.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T20:15:09Z",
    "severity": "HIGH"
  },
  "details": "An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: through 9.4.0-191; ibi: through 9.4.0-191.\n\n",
  "id": "GHSA-g7hf-55m7-jhmc",
  "modified": "2024-04-04T04:01:28Z",
  "published": "2023-05-10T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36329"
    },
    {
      "type": "WEB",
      "url": "https://www.westerndigital.com/support/product-security/wdc-23003-western-digital-my-cloud-home-my-cloud-home-duo-and-sandisk-ibi-firmware-version-9-4-0-191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7Q5-PJJR-GQVP

Vulnerability from github – Published: 2018-07-24 20:14 – Updated: 2021-09-10 20:28
VLAI
Summary
Regular Expression Denial of Service in tough-cookie
Details

Affected versions of tough-cookie are susceptible to a regular expression denial of service.

The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.

If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.

Recommendation

Update to version 2.3.3 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "tough-cookie"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:36:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `tough-cookie` are susceptible to a regular expression denial of service.\n\nThe amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.\n\nIf node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.\n\n\n## Recommendation\n\nUpdate to version 2.3.3 or later.",
  "id": "GHSA-g7q5-pjjr-gqvp",
  "modified": "2021-09-10T20:28:19Z",
  "published": "2018-07-24T20:14:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15010"
    },
    {
      "type": "WEB",
      "url": "https://github.com/salesforce/tough-cookie/issues/92"
    },
    {
      "type": "WEB",
      "url": "https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2912"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2913"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1263"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1264"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-g7q5-pjjr-gqvp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/salesforce/tough-cookie"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:tough-cookie:20170905"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/525"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101185"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in tough-cookie"
}

GHSA-G832-5583-WC79

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-11T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact that the PowerDNS server parses all records present in a query regardless of whether they are needed or even legitimate. A specially crafted query containing a large number of records can be used to take advantage of that behaviour.",
  "id": "GHSA-g832-5583-wc79",
  "modified": "2022-05-13T01:38:41Z",
  "published": "2022-05-13T01:38:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7068"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7068"
    },
    {
      "type": "WEB",
      "url": "https://doc.powerdns.com/md/security/powerdns-advisory-2016-02"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3763"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8J3-2RCP-JRHM

Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2021-12-16 00:02
VLAI
Details

A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands",
  "id": "GHSA-g8j3-2rcp-jrhm",
  "modified": "2021-12-16T00:02:46Z",
  "published": "2021-12-14T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39938"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39938.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/344873"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G8M5-722R-8WHQ

Vulnerability from github – Published: 2024-10-14 21:08 – Updated: 2025-11-03 22:49
VLAI
Summary
Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
Details

Impact

Remote DOS attack can cause out of memory

Description

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

Affected Versions

  • Jetty 12.0.0-12.0.8 (Supported)
  • Jetty 11.0.0-11.0.23 (EOL)
  • Jetty 10.0.0-10.0.23 (EOL)
  • Jetty 9.3.12-9.4.55 (EOL)

Patched Versions

  • Jetty 12.0.9
  • Jetty 11.0.24
  • Jetty 10.0.24
  • Jetty 9.4.56

Workarounds

Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.

References

Jetty 12 - https://github.com/jetty/jetty.project/pull/11723

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.0.8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.23"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.23"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.55"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.3.12"
            },
            {
              "fixed": "9.4.56"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-14T21:08:38Z",
    "nvd_published_at": "2024-10-14T16:15:04Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nRemote DOS attack can cause out of memory \n\n### Description\nThere exists a security vulnerability in Jetty\u0027s `ThreadLimitHandler.getRemote()` which\ncan be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By\nrepeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the\nserver\u0027s memory.\n\n### Affected Versions\n\n* Jetty 12.0.0-12.0.8 (Supported)\n* Jetty 11.0.0-11.0.23 (EOL)\n* Jetty 10.0.0-10.0.23 (EOL)\n* Jetty 9.3.12-9.4.55 (EOL)\n\n### Patched Versions\n\n* Jetty 12.0.9\n* Jetty 11.0.24\n* Jetty 10.0.24\n* Jetty 9.4.56\n\n### Workarounds\n\nDo not use `ThreadLimitHandler`.  \nConsider use of `QoSHandler` instead to artificially limit resource utilization.\n\n### References\n\nJetty 12 - https://github.com/jetty/jetty.project/pull/11723",
  "id": "GHSA-g8m5-722r-8whq",
  "modified": "2025-11-03T22:49:11Z",
  "published": "2024-10-14T21:08:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/pull/11723"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jetty/jetty.project"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Eclipse Jetty\u0027s ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks"
}

GHSA-G8M9-2VR9-W7F7

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2022-10-13 12:00
VLAI
Details

In addAutomaticZenRule of ZenModeHelper.java, there is a possible permanent degradation of performance due to resource exhaustion. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-235823407

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20425"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In addAutomaticZenRule of ZenModeHelper.java, there is a possible permanent degradation of performance due to resource exhaustion. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-235823407",
  "id": "GHSA-g8m9-2vr9-w7f7",
  "modified": "2022-10-13T12:00:26Z",
  "published": "2022-10-12T12:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20425"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-10-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8P2-H5RV-CRGP

Vulnerability from github – Published: 2023-06-12 18:30 – Updated: 2024-04-04 04:43
VLAI
Details

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-12T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms",
  "id": "GHSA-g8p2-h5rv-crgp",
  "modified": "2024-04-04T04:43:27Z",
  "published": "2023-06-12T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35053"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.