CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-H5XR-379W-CHRW
Vulnerability from github – Published: 2023-06-02 18:30 – Updated: 2024-04-04 04:30If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112.
{
"affected": [],
"aliases": [
"CVE-2023-29544"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T17:15:12Z",
"severity": "MODERATE"
},
"details": "If multiple instances of resource exhaustion occurred at the incorrect time, the garbage collector could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox for Android \u003c 112, Firefox \u003c 112, and Focus for Android \u003c 112.",
"id": "GHSA-h5xr-379w-chrw",
"modified": "2024-04-04T04:30:46Z",
"published": "2023-06-02T18:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29544"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1818781"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2023-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H626-57VG-4VMQ
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:38emercoin through 0.7 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.
{
"affected": [],
"aliases": [
"CVE-2018-19152"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-05T21:15:00Z",
"severity": "HIGH"
},
"details": "emercoin through 0.7 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim\u0027s disk and RAM.",
"id": "GHSA-h626-57vg-4vmq",
"modified": "2024-04-04T02:38:02Z",
"published": "2022-05-24T17:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19152"
},
{
"type": "WEB",
"url": "https://medium.com/%40dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806"
},
{
"type": "WEB",
"url": "https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806"
},
{
"type": "WEB",
"url": "http://fc19.ifca.ai/preproceedings/180-preproceedings.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H665-FH45-XQ6R
Vulnerability from github – Published: 2026-05-12 15:31 – Updated: 2026-06-30 03:36An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.
{
"affected": [],
"aliases": [
"CVE-2026-42006"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-12T14:17:04Z",
"severity": "MODERATE"
},
"details": "An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass the limit. Using excessive bracing, attacker can cause memory usage up to configured memory limit. Install fixed version, or configure vsz_limit for imap process to low value. No publicly available exploits are known.",
"id": "GHSA-h665-fh45-xq6r",
"modified": "2026-06-30T03:36:39Z",
"published": "2026-05-12T15:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42006"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-42006"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476476"
},
{
"type": "WEB",
"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0002.json"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42006.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H6CH-V84P-W6P9
Vulnerability from github – Published: 2019-06-13 18:58 – Updated: 2021-02-24 19:27A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "diff"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-13T18:54:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.",
"id": "GHSA-h6ch-v84p-w6p9",
"modified": "2021-02-24T19:27:02Z",
"published": "2019-06-13T18:58:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552148"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/npm:diff:20180305"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1631"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Regular Expression Denial of Service (ReDoS)"
}
GHSA-H6FG-HFP3-3883
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37In BIG-IP APM versions 15.0.0-15.0.1.3, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, under certain conditions, the VDI plugin does not observe plugin flow-control protocol causing excessive resource consumption.
{
"affected": [],
"aliases": [
"CVE-2020-27722"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-24T16:15:00Z",
"severity": "MODERATE"
},
"details": "In BIG-IP APM versions 15.0.0-15.0.1.3, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, under certain conditions, the VDI plugin does not observe plugin flow-control protocol causing excessive resource consumption.",
"id": "GHSA-h6fg-hfp3-3883",
"modified": "2022-05-24T17:37:13Z",
"published": "2022-05-24T17:37:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27722"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K73657294"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H6M3-6R8W-2QQP
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-04-04 02:46An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_* functions mishandle XML entities, leading to an infinite loop in which memory allocations occur.
{
"affected": [],
"aliases": [
"CVE-2019-20201"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-91"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-31T21:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_* functions mishandle XML entities, leading to an infinite loop in which memory allocations occur.",
"id": "GHSA-h6m3-6r8w-2qqp",
"modified": "2024-04-04T02:46:14Z",
"published": "2022-05-24T17:05:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20201"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/ezxml/bugs/16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6Q4-JV34-9RPM
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-03-04 15:31Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21181"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T18:15:29Z",
"severity": "HIGH"
},
"details": "Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability",
"id": "GHSA-h6q4-jv34-9rpm",
"modified": "2025-03-04T15:31:46Z",
"published": "2025-02-11T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21181"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21181"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-21181-denial-of-service-vulnerability-in-microsoft-message-queuing-detection-script"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-21181-denial-of-service-vulnerability-in-microsoft-message-queuing-mitigation-script"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6RH-598H-XCW9
Vulnerability from github – Published: 2022-10-20 12:00 – Updated: 2022-10-24 19:00In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests.
{
"affected": [],
"aliases": [
"CVE-2022-41770"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T22:15:00Z",
"severity": "MODERATE"
},
"details": "In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests.",
"id": "GHSA-h6rh-598h-xcw9",
"modified": "2022-10-24T19:00:26Z",
"published": "2022-10-20T12:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41770"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K22505850"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6RJ-3M53-887H
Vulnerability from github – Published: 2026-04-06 22:54 – Updated: 2026-04-06 22:54Impact
Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages.
Additionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.
This may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.
This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.
This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.
PoC
-
Connect to the server using a custom client.
-
Send a Minecraft
LoginPacketcontaining an unexpected JSON property (e.g., invalid_key) within the ClientData. -
Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).
-
The server hits the
warnUndefinedJsonPropertyHandler, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.
A := make([]interface{}, 1)
ptr := &A
for i := 0; i < 500; i++ {
next := make([]interface{}, 1000)
(*ptr)[0] = next
ptr = &next
}
data := make([]int, 2000000)
for i := 0; i < 100; i++ {
data[i] = i
}
(*ptr)[0] = data
d.PlayFabID = A
Patches
The issue was addressed in https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 by removing the relevant var_export and limiting the length of the logged property name to 80 characters.
Workarounds
Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic.
However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pocketmine/pocketmine-mp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.41.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T22:54:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nAttackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft `LoginPacket`, causing the server to generate very long log messages.\nAdditionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.\n\nThis may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.\n\nThis happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.\n\nThis vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.\n\n### PoC\n1. Connect to the server using a custom client.\n\n2. Send a Minecraft `LoginPacket` containing an unexpected JSON property (e.g., invalid_key) within the ClientData.\n\n3. Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).\n\n4. The server hits the `warnUndefinedJsonPropertyHandler`, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.\n\n```\nA := make([]interface{}, 1)\n\tptr := \u0026A\n\tfor i := 0; i \u003c 500; i++ {\n\t\tnext := make([]interface{}, 1000)\n\t\t(*ptr)[0] = next\n\t\tptr = \u0026next\n\t}\n\tdata := make([]int, 2000000)\n\tfor i := 0; i \u003c 100; i++ {\n\t\tdata[i] = i\n\t}\n\t(*ptr)[0] = data\n\td.PlayFabID = A\n ```\n\n### Patches\nThe issue was addressed in https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 by removing the relevant `var_export` and limiting the length of the logged property name to 80 characters.\n\n### Workarounds\nPlugins can handle `DataPacketReceiveEvent` to capture `LoginPacket`, and pre-process the clientData JWT to ensure it doesn\u0027t have any unusual properties in it. This can be achieved using `JsonMapper` (see the original affected code below) and setting the `bExceptionOnUndefinedProperty` flag to `true`. A `JsonMapper_Exception` will be thrown if the JWT is problematic.\n\nHowever, it\u0027s important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).",
"id": "GHSA-h6rj-3m53-887h",
"modified": "2026-04-06T22:54:03Z",
"published": "2026-04-06T22:54:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6rj-3m53-887h"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/pmmp/PocketMine-MP"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L288-L302"
},
{
"type": "WEB",
"url": "https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L333-L349"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket"
}
GHSA-H6RJ-8R3C-9GPJ
Vulnerability from github – Published: 2018-03-05 19:43 – Updated: 2022-04-25 22:38BSON injection vulnerability in the legal function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "bson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "bson"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "3.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-4412"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:39:12Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "BSON injection vulnerability in the legal function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.",
"id": "GHSA-h6rj-8r3c-9gpj",
"modified": "2022-04-25T22:38:49Z",
"published": "2018-03-05T19:43:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-4412"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/bson-ruby/commit/976da329ff03ecdfca3030eb6efe3c85e6db9999"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1229750"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h6rj-8r3c-9gpj"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongodb/bson-ruby"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bson/CVE-2015-4412.yml"
},
{
"type": "WEB",
"url": "https://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html"
},
{
"type": "WEB",
"url": "http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/06/06/3"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/75045"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "bson is vulnerable to denial of service due to incorrect regex validation"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.