Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-HQXG-HW83-HJ3R

Vulnerability from github – Published: 2025-11-25 21:32 – Updated: 2025-11-26 00:30
VLAI
Details

An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-25T21:15:55Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Veal98 Echo Open-Source Community System 2.2 thru 2.3 allowing an unauthenticated attacker to cause the server to send email verification messages to arbitrary users via the /sendEmailCodeForResetPwd endpoint potentially causing a denial of service to the server or the downstream users.",
  "id": "GHSA-hqxg-hw83-hj3r",
  "modified": "2025-11-26T00:30:26Z",
  "published": "2025-11-25T21:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51741"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Paxsizy/9d92e8746778cf0926705d89b4f3618c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Veal98/Echo"
    },
    {
      "type": "WEB",
      "url": "http://echo.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HR4F-6JH8-F2VQ

Vulnerability from github – Published: 2023-10-18 18:25 – Updated: 2023-10-25 17:00
VLAI
Summary
OpenFGA DoS vulnerability
Details

Overview

OpenFGA is vulnerable to a DoS attack. When a number of ListObjects calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and the service as a whole becomes unresponsive.

Fix

Upgrade to v1.3.4. This upgrade is backwards compatible.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openfga/openfga"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-18T18:25:58Z",
    "nvd_published_at": "2023-10-17T23:15:12Z",
    "severity": "HIGH"
  },
  "details": "## Overview\nOpenFGA is vulnerable to a DoS attack. When a number of ListObjects calls are executed, in some scenarios, those calls are not releasing resources even after a response has been sent, and the service as a whole becomes unresponsive.\n\n## Fix\nUpgrade to v1.3.4. This upgrade is backwards compatible.",
  "id": "GHSA-hr4f-6jh8-f2vq",
  "modified": "2023-10-25T17:00:16Z",
  "published": "2023-10-18T18:25:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/security/advisories/GHSA-hr4f-6jh8-f2vq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45810"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openfga/openfga"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openfga/openfga/releases/tag/v1.3.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenFGA DoS vulnerability"
}

GHSA-HR7V-M862-8HH8

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2025-11-04 00:30
VLAI
Details

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-835"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-04T19:15:00Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.",
  "id": "GHSA-hr7v-m862-8hh8",
  "modified": "2025-11-04T00:30:31Z",
  "published": "2022-05-24T22:01:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/25916"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/26503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/ea9327036680acc92d9f89eaf6f6a54d2f8d78d9"
    },
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue44022"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995162"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python/cpython"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220407-0009"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2021-3737"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HR85-6MV6-MCM7

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

An authenticated attacker with administrator rights Bosch IP cameras can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated attacker with administrator rights Bosch IP cameras can call an URL with an invalid parameter that causes the camera to become unresponsive for a few seconds and cause a Denial of Service (DoS).",
  "id": "GHSA-hr85-6mv6-mcm7",
  "modified": "2022-05-24T19:04:33Z",
  "published": "2022-05-24T19:04:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23852"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/bosch-sa-478243-bt.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HRFH-7J5F-8CCR

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2025-04-02 23:10
VLAI
Summary
Pivotal RabbitMQ is vulnerable to a denial of service attack
Details

Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Hex",
        "name": "RabbitMQ"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17.0"
            },
            {
              "fixed": "1.17.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11287"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T11:48:49Z",
    "nvd_published_at": "2019-11-23T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The \"X-Reason\" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.",
  "id": "GHSA-hrfh-7j5f-8ccr",
  "modified": "2025-04-02T23:10:37Z",
  "published": "2022-05-24T17:01:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11287"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-11287-DoS%20via%20Heap%20Overflow-RabbitMQ%20Web%20Management%20Plugin"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rabbitmq/rabbitmq-server"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EEQ6O7PMNJKYFMQYHAB55L423GYK63SO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYTGR3D5FW2O25RXZOTIZMOD2HAUVBE4"
    },
    {
      "type": "WEB",
      "url": "https://pivotal.io/security/cve-2019-11287"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pivotal RabbitMQ is vulnerable to a denial of service attack"
}

GHSA-HRFV-MQP8-Q5RW

Vulnerability from github – Published: 2023-10-25 14:22 – Updated: 2026-05-20 22:21
VLAI
Summary
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
Details

Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Werkzeug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Werkzeug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0rc1"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T14:22:59Z",
    "nvd_published_at": "2023-10-25T18:17:36Z",
    "severity": "MODERATE"
  },
  "details": "Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That\u0027s why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.\n\nThis allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.",
  "id": "GHSA-hrfv-mqp8-q5rw",
  "modified": "2026-05-20T22:21:18Z",
  "published": "2023-10-25T14:22:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46136"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pallets/werkzeug"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231124-0008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning"
}

GHSA-HRJ2-4HPM-CJW9

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-11-16 12:00
VLAI
Details

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-27T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.",
  "id": "GHSA-hrj2-4hpm-cjw9",
  "modified": "2022-11-16T12:00:19Z",
  "published": "2022-05-24T17:24:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7016"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HRM6-3G2J-QPVX

Vulnerability from github – Published: 2025-11-13 00:30 – Updated: 2025-11-13 00:30
VLAI
Details

The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting in the printer process shutting down or powering off, causing a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7326"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-12T22:15:42Z",
    "severity": "HIGH"
  },
  "details": "The Epson Stylus SX510W embedded web management service fails to properly handle consecutive ampersand characters in query parameters when accessing /PRESENTATION/HTML/TOP/INDEX.HTML. A remote attacker can send a malformed request that triggers improper input parsing or memory handling, resulting in the printer process shutting down or powering off, causing a denial of service condition.",
  "id": "GHSA-hrm6-3g2j-qpvx",
  "modified": "2025-11-13T00:30:17Z",
  "published": "2025-11-13T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7326"
    },
    {
      "type": "WEB",
      "url": "https://www.epson.eu/en_EU/support/sc/epson-stylus-sx510w/s/s837"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51441"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/epson-stylus-printer-remote-power-off-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HRR4-3WGR-68X3

Vulnerability from github – Published: 2026-02-04 00:14 – Updated: 2026-02-05 00:37
VLAI
Summary
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints
Details

Summary

Authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.

If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well.

Details

Both /rest/getCoverArt and /share/img/<token> accept a size parameter that is passed directly into the image processing routine without any upper bound validation. When a very large integer is provided, Navidrome attempts to generate a resized image of that size. This leads to excessive memory allocation inside the image resizing path.

In the /rest/getCoverArt handler, the value is read as:

size := p.IntOr("size", 0)
imgReader, lastUpdate, err := api.artwork.GetOrPlaceholder(ctx, id, size, square)

Because no limit is enforced, the image subsystem receives the supplied value as-is. When the requested size is extremely large, the process consumes large amounts of RAM until it is killed by the kernel's OOM killer. If the system has enough available memory to complete the resize operation, the resulting oversized image is then written to Navidrome's cache directory, which can quickly fill the server's disk.

The same behavior is reachable through /share/img/<token> as long as the attacker possesses a valid sharing token.

PoC

  1. Authenticate normally to obtain access to /rest/getCoverArt or a valid sharing link containing a /share/img/<token> URL.
  2. Send a regular request with a small size value, for example:
/rest/getCoverArt?...&size=300&square=true
  1. Replace the size parameter with a very large number, such as:
/rest/getCoverArt?...&size=300000&square=true
  1. The server rapidly allocates memory while attempting to create an oversized image. This leads to the Navidrome process being terminated by the OOM killer.
  2. The same behavior can be reproduced with a valid shared-image link:
/share/img/<token>?size=300000&square=true

If the system does not run out of memory, the oversized resized image is written to the cache directory, causing disk usage to grow quickly.

Impact

Supplying an excessively large size parameter to /rest/getCoverArt or /share/img/<token> allows any authenticated user to trigger a Denial of Service condition. During image resizing, the server attempts to allocate extremely large amounts of memory, which can cause not only Navidrome itself to be terminated by the OOM killer, but in some configurations may also destabilize or crash the entire host system.

On systems with sufficient memory, the oversized resized images are written to Navidrome's cache directory instead, allowing an attacker to rapidly consume all available disk space. This leads to a second form of Denial of Service, where the host becomes unable to write logs, operate dependent services, or perform basic system tasks due to storage exhaustion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/navidrome/navidrome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.60.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T00:14:02Z",
    "nvd_published_at": "2026-02-04T22:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAuthenticated users can crash the Navidrome server by supplying an excessively large `size` parameter to `/rest/getCoverArt` or to a shared-image URL (`/share/img/\u003ctoken\u003e`). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage.\n\nIf the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well.\n\n### Details\nBoth `/rest/getCoverArt` and `/share/img/\u003ctoken\u003e` accept a `size` parameter that is passed directly into the image processing routine without any upper bound validation. When a very large integer is provided, Navidrome attempts to generate a resized image of that size. This leads to excessive memory allocation inside the image resizing path.\n\nIn the `/rest/getCoverArt` handler, the value is read as:\n\n```go\nsize := p.IntOr(\"size\", 0)\nimgReader, lastUpdate, err := api.artwork.GetOrPlaceholder(ctx, id, size, square)\n```\n\nBecause no limit is enforced, the image subsystem receives the supplied value as-is. When the requested size is extremely large, the process consumes large amounts of RAM until it is killed by the kernel\u0027s OOM killer. If the system has enough available memory to complete the resize operation, the resulting oversized image is then written to Navidrome\u0027s cache directory, which can quickly fill the server\u0027s disk.\n\nThe same behavior is reachable through `/share/img/\u003ctoken\u003e` as long as the attacker possesses a valid sharing token.\n\n### PoC\n1. Authenticate normally to obtain access to `/rest/getCoverArt` or a valid sharing link containing a `/share/img/\u003ctoken\u003e` URL.\n2. Send a regular request with a small size value, for example:\n\n```\n/rest/getCoverArt?...\u0026size=300\u0026square=true\n```\n\n3. Replace the `size` parameter with a very large number, such as:\n\n```\n/rest/getCoverArt?...\u0026size=300000\u0026square=true\n```\n\n4. The server rapidly allocates memory while attempting to create an oversized image. This leads to the Navidrome process being terminated by the OOM killer.\n5. The same behavior can be reproduced with a valid shared-image link:\n\n```\n/share/img/\u003ctoken\u003e?size=300000\u0026square=true\n```\n\nIf the system does not run out of memory, the oversized resized image is written to the cache directory, causing disk usage to grow quickly.\n\n### Impact\nSupplying an excessively large `size` parameter to `/rest/getCoverArt` or `/share/img/\u003ctoken\u003e` allows any authenticated user to trigger a Denial of Service condition. During image resizing, the server attempts to allocate extremely large amounts of memory, which can cause not only Navidrome itself to be terminated by the OOM killer, but in some configurations may also destabilize or crash the entire host system.\n\nOn systems with sufficient memory, the oversized resized images are written to Navidrome\u0027s cache directory instead, allowing an attacker to rapidly consume all available disk space. This leads to a second form of Denial of Service, where the host becomes unable to write logs, operate dependent services, or perform basic system tasks due to storage exhaustion.",
  "id": "GHSA-hrr4-3wgr-68x3",
  "modified": "2026-02-05T00:37:07Z",
  "published": "2026-02-04T00:14:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68x3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25579"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/navidrome/navidrome"
    },
    {
      "type": "WEB",
      "url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/\u003ctoken\u003e` endpoints"
}

GHSA-HRW6-9556-27W2

Vulnerability from github – Published: 2024-09-25 12:30 – Updated: 2026-01-05 21:30
VLAI
Details

When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing.

Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-25T11:15:12Z",
    "severity": "HIGH"
  },
  "details": "When multiple devices share resources and one of them is to be passed\nthrough to a guest, security of the entire system and of respective\nguests individually cannot really be guaranteed without knowing\ninternals of any of the involved guests.  Therefore such a configuration\ncannot really be security-supported, yet making that explicit was so far\nmissing.\n\nResources the sharing of which is known to be problematic include, but\nare not limited to\n- - PCI Base Address Registers (BARs) of multiple devices mapping to the\n  same page (4k on x86),\n- - INTx lines.",
  "id": "GHSA-hrw6-9556-27w2",
  "modified": "2026-01-05T21:30:26Z",
  "published": "2024-09-25T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31146"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-461.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/08/14/3"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-461.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.