CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-HV3W-M4G2-5X77
Vulnerability from github – Published: 2026-04-06 18:00 – Updated: 2026-06-08 19:51Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.
An unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new asyncio.Task and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.312.2"
},
"package": {
"ecosystem": "PyPI",
"name": "strawberry-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.312.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35526"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T18:00:29Z",
"nvd_published_at": "2026-04-07T16:16:28Z",
"severity": "HIGH"
},
"details": "Strawberry GraphQL\u0027s WebSocket subscription handlers for both the `graphql-transport-ws` and legacy `graphql-ws` protocols allocate an `asyncio.Task` and associated `Operation` object for every incoming subscribe message without enforcing any limit on the number of active subscriptions per connection.\n\nAn unauthenticated attacker can open a single WebSocket connection, send connection_init, and then flood subscribe messages with unique IDs. Each message unconditionally spawns a new `asyncio.Task` and async generator, causing linear memory growth and event loop saturation. This leads to server degradation or an OOM crash.",
"id": "GHSA-hv3w-m4g2-5x77",
"modified": "2026-06-08T19:51:02Z",
"published": "2026-04-06T18:00:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-hv3w-m4g2-5x77"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35526"
},
{
"type": "WEB",
"url": "https://github.com/strawberry-graphql/strawberry/commit/0977a4e6b41b7cfe3e9d8ba84a43458a2b0c54c2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/strawberry-graphql/PYSEC-2026-134.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/strawberry-graphql/strawberry"
},
{
"type": "WEB",
"url": "https://github.com/strawberry-graphql/strawberry/releases/tag/0.312.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions"
}
GHSA-HV4V-FPRG-G23Q
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable vulnerability exists in the user photo update functionality of Circle with Disney running firmware 2.0.1. A repeated set of specially crafted API calls can cause the device to corrupt essential memory, resulting in a bricked device. An attacker needs network connectivity to the device to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2017-2884"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-07T16:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable vulnerability exists in the user photo update functionality of Circle with Disney running firmware 2.0.1. A repeated set of specially crafted API calls can cause the device to corrupt essential memory, resulting in a bricked device. An attacker needs network connectivity to the device to trigger this vulnerability.",
"id": "GHSA-hv4v-fprg-g23q",
"modified": "2022-05-13T01:01:16Z",
"published": "2022-05-13T01:01:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2884"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0391"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HV68-PMFF-63FX
Vulnerability from github – Published: 2023-09-12 18:30 – Updated: 2024-04-04 07:38DHCP Server Service Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-38162"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-12T17:15:23Z",
"severity": "HIGH"
},
"details": "DHCP Server Service Denial of Service Vulnerability",
"id": "GHSA-hv68-pmff-63fx",
"modified": "2024-04-04T07:38:13Z",
"published": "2023-09-12T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38162"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HV89-W63P-3MF5
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2023-05-22 21:30A vulnerability in the WLAN Local Profiling feature of Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect parsing of HTTP packets while performing HTTP-based endpoint device classifications. An attacker could exploit this vulnerability by sending a crafted HTTP packet to an affected device. A successful exploit could cause an affected device to reboot, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2020-3428"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-24T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the WLAN Local Profiling feature of Cisco IOS XE Wireless Controller Software for the Cisco Catalyst 9000 Family could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to incorrect parsing of HTTP packets while performing HTTP-based endpoint device classifications. An attacker could exploit this vulnerability by sending a crafted HTTP packet to an affected device. A successful exploit could cause an affected device to reboot, resulting in a DoS condition.",
"id": "GHSA-hv89-w63p-3mf5",
"modified": "2023-05-22T21:30:17Z",
"published": "2022-05-24T17:29:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3428"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dclass-dos-VKh9D8k3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HVCG-52HQ-RGF5
Vulnerability from github – Published: 2022-05-17 02:26 – Updated: 2022-05-17 02:26An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. The issue involves the "EventKitUI" component. It allows remote attackers to cause a denial of service (resource consumption and application crash).
{
"affected": [],
"aliases": [
"CVE-2017-7007"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-20T16:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. The issue involves the \"EventKitUI\" component. It allows remote attackers to cause a denial of service (resource consumption and application crash).",
"id": "GHSA-hvcg-52hq-rgf5",
"modified": "2022-05-17T02:26:55Z",
"published": "2022-05-17T02:26:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7007"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT207923"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99891"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HVJM-8776-HW2Q
Vulnerability from github – Published: 2022-10-01 00:00 – Updated: 2022-10-04 00:00An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.
{
"affected": [],
"aliases": [
"CVE-2022-41844"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-30T05:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.",
"id": "GHSA-hvjm-8776-hw2q",
"modified": "2022-10-04T00:00:19Z",
"published": "2022-10-01T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41844"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?f=1\u0026t=42340\u0026p=43928\u0026hilit=gfseek#p43928"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=42308\u0026p=43844\u0026hilit=XRef%3A%3Afetch#p43844"
},
{
"type": "WEB",
"url": "http://www.xpdfreader.com/download.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HVQC-PC78-X9WH
Vulnerability from github – Published: 2021-08-25 20:53 – Updated: 2023-06-13 20:30VendorInfo::as_string(), SoCVendorBrand::as_string(), and ExtendedFunctionInfo::processor_brand_string() construct byte slices using std::slice::from_raw_parts(), with data coming from #[repr(Rust)] structs. This is always undefined behavior. This flaw has been fixed in v9.0.0, by making the relevant structs #[repr(C)].
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "raw-cpuid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26306"
],
"database_specific": {
"cwe_ids": [
"CWE-198",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:02:19Z",
"nvd_published_at": "2021-01-29T03:15:00Z",
"severity": "HIGH"
},
"details": "VendorInfo::as_string(), SoCVendorBrand::as_string(), and ExtendedFunctionInfo::processor_brand_string() construct byte slices using std::slice::from_raw_parts(), with data coming from #[repr(Rust)] structs. This is always undefined behavior.\nThis flaw has been fixed in v9.0.0, by making the relevant structs #[repr(C)].",
"id": "GHSA-hvqc-pc78-x9wh",
"modified": "2023-06-13T20:30:27Z",
"published": "2021-08-25T20:53:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26306"
},
{
"type": "WEB",
"url": "https://github.com/gz/rust-cpuid/issues/40"
},
{
"type": "WEB",
"url": "https://github.com/RustSec/advisory-db/pull/614"
},
{
"type": "PACKAGE",
"url": "https://github.com/gz/rust-cpuid"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0013.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Soundness issue in raw-cpuid"
}
GHSA-HVW7-225W-4GX2
Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-05-22 00:00Uncontrolled Resource Consumption in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.
{
"affected": [],
"aliases": [
"CVE-2022-1699"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-12T16:15:00Z",
"severity": "HIGH"
},
"details": "Uncontrolled Resource Consumption in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.",
"id": "GHSA-hvw7-225w-4gx2",
"modified": "2022-05-22T00:00:33Z",
"published": "2022-05-13T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1699"
},
{
"type": "WEB",
"url": "https://github.com/causefx/organizr/commit/e4b4cff66c526f7b5bbaef0073c92c315c29bd56"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3024b2bb-50ca-46a2-85db-1cc916791cda"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HW29-37G4-33VR
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10Uncontrolled resource consumption in firmware for Intel(R) Ethernet Adapters 800 Series Controllers and associated adapters before version 1.5.3.0 may allow privileged user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2021-0008"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T13:15:00Z",
"severity": "MODERATE"
},
"details": "Uncontrolled resource consumption in firmware for Intel(R) Ethernet Adapters 800 Series Controllers and associated adapters before version 1.5.3.0 may allow privileged user to potentially enable denial of service via local access.",
"id": "GHSA-hw29-37g4-33vr",
"modified": "2022-05-24T19:10:43Z",
"published": "2022-05-24T19:10:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0008"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210827-0009"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00479.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HW5W-QHP3-88F5
Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-10 18:30A vulnerability in the DNS functionality of Cisco Nexus Dashboard Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the improper processing of DNS requests. An attacker could exploit this vulnerability by sending a continuous stream of DNS requests to an affected device. A successful exploit could allow the attacker to cause the coredns service to stop working or cause the device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2023-20014"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T08:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the DNS functionality of Cisco Nexus Dashboard Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the improper processing of DNS requests. An attacker could exploit this vulnerability by sending a continuous stream of DNS requests to an affected device. A successful exploit could allow the attacker to cause the coredns service to stop working or cause the device to reload, resulting in a DoS condition.",
"id": "GHSA-hw5w-qhp3-88f5",
"modified": "2023-03-10T18:30:23Z",
"published": "2023-03-01T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20014"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndb-dnsdos-bYscZOsu"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.