CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-GWJ5-3VFQ-Q992
Vulnerability from github – Published: 2021-05-21 16:22 – Updated: 2021-05-20 21:07(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-28466.txt)
Problem Description
An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.
This issue was fixed publicly in https://github.com/nats-io/nats-server/pull/1731 in November 2020.
The need to call this out as a security issue was highlighted by snyk.io and we are grateful for their assistance in doing so.
Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected. See below for an important caveat if running such a service.
Affected versions
NATS Server
- Version 2 prior to 2.2.0
- 2.0.0 through and including 2.1.9 are vulnerable.
- fixed with nats-io/nats-server PR 1731, commit 2e3c226729
Impact
The nats-server could be killed, after consuming resources.
Workaround
The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.
Solution
Upgrade the nats-server.
Caveat on NATS with untrusted users
Running a NATS service which is exposed to untrusted users presents a heightened risk.
Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.
Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.
Those who are running such services are encouraged to build regularly from git.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T21:07:16Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "(This advisory is canonically \u003chttps://advisories.nats.io/CVE/CVE-2020-28466.txt\u003e)\n\n## Problem Description\n\nAn export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.\n\nThis issue was fixed publicly in \u003chttps://github.com/nats-io/nats-server/pull/1731\u003e in November 2020.\n\nThe need to call this out as a security issue was highlighted by `snyk.io` and we are grateful for their assistance in doing so.\n\nOrganizations which run a NATS service providing access to accounts run by untrusted third parties are affected.\nSee below for an important caveat if running such a service.\n\n\n## Affected versions\n\n#### NATS Server\n\n * Version 2 prior to 2.2.0\n + 2.0.0 through and including 2.1.9 are vulnerable.\n * fixed with nats-io/nats-server PR 1731, commit 2e3c226729\n\n\n## Impact\n\nThe nats-server could be killed, after consuming resources.\n\n\n## Workaround\n\nThe import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.\n\n\n## Solution\n\nUpgrade the nats-server.\n\n\n## Caveat on NATS with untrusted users\n\nRunning a NATS service which is exposed to untrusted users presents a heightened risk.\n\nAny remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.\n\nFixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.\n\nThose who are running such services are encouraged to build regularly from git.",
"id": "GHSA-gwj5-3vfq-q992",
"modified": "2021-05-20T21:07:16Z",
"published": "2021-05-21T16:22:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-gwj5-3vfq-q992"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Import loops in account imports, nats-server DoS"
}
GHSA-GWJ8-GFRJ-V979
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:38PIVX through 3.1.03 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.
{
"affected": [],
"aliases": [
"CVE-2018-19156"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-05T21:15:00Z",
"severity": "HIGH"
},
"details": "PIVX through 3.1.03 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim\u0027s disk.",
"id": "GHSA-gwj8-gfrj-v979",
"modified": "2024-04-04T02:38:07Z",
"published": "2022-05-24T17:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19156"
},
{
"type": "WEB",
"url": "https://medium.com/%40dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806"
},
{
"type": "WEB",
"url": "https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806"
},
{
"type": "WEB",
"url": "http://fc19.ifca.ai/preproceedings/180-preproceedings.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWJV-QXVJ-5X3W
Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2025-03-19 18:30In Docker Desktop on Windows before v4.31.0 allows a user in the docker-users group to cause a Windows Denial-of-Service through the exec-path Docker daemon config option in Windows containers mode.
{
"affected": [],
"aliases": [
"CVE-2024-5652"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T17:15:48Z",
"severity": "MODERATE"
},
"details": "In Docker Desktop on Windows before v4.31.0\u00a0allows a user in the docker-users\u00a0group to cause a Windows Denial-of-Service through the exec-path\u00a0Docker daemon config option in Windows containers mode.",
"id": "GHSA-gwjv-qxvj-5x3w",
"modified": "2025-03-19T18:30:43Z",
"published": "2024-07-09T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5652"
},
{
"type": "WEB",
"url": "https://docs.docker.com/desktop/release-notes/#4310"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWM5-45CM-CG6V
Vulnerability from github – Published: 2022-12-07 06:30 – Updated: 2022-12-09 03:30Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.0.0 to 4.0.3 allows a remote authenticated attacker to consume huge storage space, which may result in a denial-of-service (DoS) condition.
{
"affected": [],
"aliases": [
"CVE-2022-44608"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-07T04:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled resource consumption vulnerability in Cybozu Remote Service 4.0.0 to 4.0.3 allows a remote authenticated attacker to consume huge storage space, which may result in a denial-of-service (DoS) condition.",
"id": "GHSA-gwm5-45cm-cg6v",
"modified": "2022-12-09T03:30:25Z",
"published": "2022-12-07T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44608"
},
{
"type": "WEB",
"url": "https://cs.cybozu.co.jp/2022/007754.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN87895771/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWPF-95JC-63RV
Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-17 01:01Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.6.0"
},
{
"fixed": "6.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.5.0"
},
{
"fixed": "6.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1982"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T01:01:48Z",
"nvd_published_at": "2022-06-02T18:15:00Z",
"severity": "MODERATE"
},
"details": "Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.",
"id": "GHSA-gwpf-95jc-63rv",
"modified": "2022-06-17T01:01:48Z",
"published": "2022-06-03T00:00:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1982"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost-server/pull/19988"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost-server"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in Mattermost server"
}
GHSA-GWPQ-C4HC-7QHJ
Vulnerability from github – Published: 2026-04-03 15:30 – Updated: 2026-04-08 21:33An issue in Dokuwiki v.2025-05-14b 'Librarian' allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file
{
"affected": [],
"aliases": [
"CVE-2026-26477"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T15:16:05Z",
"severity": "HIGH"
},
"details": "An issue in Dokuwiki v.2025-05-14b \u0027Librarian\u0027 allows a remote attacker to cause a denial of service via the media_upload_xhr() function in the media.php file",
"id": "GHSA-gwpq-c4hc-7qhj",
"modified": "2026-04-08T21:33:13Z",
"published": "2026-04-03T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26477"
},
{
"type": "WEB",
"url": "https://github.com/Hebing123/cve/issues/94"
},
{
"type": "WEB",
"url": "https://github.com/dokuwiki/dokuwiki/releases/tag/release-2025-05-14b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWVC-G4VV-PJX6
Vulnerability from github – Published: 2023-11-06 12:30 – Updated: 2023-11-06 12:30An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2023-5825"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T11:15:09Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service.",
"id": "GHSA-gwvc-g4vv-pjx6",
"modified": "2023-11-06T12:30:24Z",
"published": "2023-11-06T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5825"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2218566"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/428984"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GX65-CR2W-3VFM
Vulnerability from github – Published: 2022-05-14 03:44 – Updated: 2022-05-14 03:44Apport through 2.20.7 does not properly handle core dumps from setuid binaries allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1324.
{
"affected": [],
"aliases": [
"CVE-2017-14177"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-02T14:29:00Z",
"severity": "HIGH"
},
"details": "Apport through 2.20.7 does not properly handle core dumps from setuid binaries allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion or possibly gain root privileges. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1324.",
"id": "GHSA-gx65-cr2w-3vfm",
"modified": "2022-05-14T03:44:36Z",
"published": "2022-05-14T03:44:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14177"
},
{
"type": "WEB",
"url": "https://bazaar.launchpad.net/~apport-hackers/apport/trunk/revision/3171"
},
{
"type": "WEB",
"url": "https://launchpad.net/bugs/1726372"
},
{
"type": "WEB",
"url": "https://people.canonical.com/~ubuntu-security/cve/?cve=CVE-2017-14177"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/usn/usn-3480-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GX6C-PV62-9MCF
Vulnerability from github – Published: 2026-02-27 06:31 – Updated: 2026-03-02 21:39A weakness has been identified in Snowflake JDBC Driver up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.snowflake:snowflake-jdbc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-3293"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-28T02:26:37Z",
"nvd_published_at": "2026-02-27T06:18:00Z",
"severity": "LOW"
},
"details": "A weakness has been identified in Snowflake JDBC Driver up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can lead to inefficient regular expression complexity. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5fb0a8a318a2ed87f4022a1f56e742424ba94052. A patch should be applied to remediate this issue.",
"id": "GHSA-gx6c-pv62-9mcf",
"modified": "2026-03-02T21:39:59Z",
"published": "2026-02-27T06:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3293"
},
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-jdbc/issues/2505"
},
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-jdbc/issues/2505#issue-3951994646"
},
{
"type": "WEB",
"url": "https://github.com/snowflakedb/snowflake-jdbc/commit/5fb0a8a318a2ed87f4022a1f56e742424ba94052"
},
{
"type": "PACKAGE",
"url": "https://github.com/snowflakedb/snowflake-jdbc"
},
{
"type": "WEB",
"url": "https://snowflakecomputing.atlassian.net/browse/SNOW-3104251"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.348035"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.348035"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.760428"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Snowflake JDBC Driver is Vulnerable to Uncontrolled Resource Consumption through SdkProxyRoutePlanner"
}
GHSA-GX6W-HCW3-5R37
Vulnerability from github – Published: 2022-05-17 04:32 – Updated: 2024-10-14 21:25kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Plone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-5496"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-29T21:30:38Z",
"nvd_published_at": "2014-09-30T14:55:00Z",
"severity": "HIGH"
},
"details": "kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL.",
"id": "GHSA-gx6w-hcw3-5r37",
"modified": "2024-10-14T21:25:33Z",
"published": "2022-05-17T04:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5496"
},
{
"type": "PACKAGE",
"url": "https://github.com/plone/Plone"
},
{
"type": "WEB",
"url": "https://github.com/plone/Products.CMFPlone/blob/4.2.3/docs/CHANGES.txt"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-38.yaml"
},
{
"type": "WEB",
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"type": "WEB",
"url": "https://plone.org/products/plone/security/advisories/20121106/12"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Plone DoS via Crafted URL"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.