CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-J268-C725-MVJ8
Vulnerability from github – Published: 2021-12-16 00:02 – Updated: 2022-05-24 00:00DirectX Graphics Kernel File Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-43219"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "HIGH"
},
"details": "DirectX Graphics Kernel File Denial of Service Vulnerability",
"id": "GHSA-j268-c725-mvj8",
"modified": "2022-05-24T00:00:48Z",
"published": "2021-12-16T00:02:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43219"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J26C-8P6M-GPFJ
Vulnerability from github – Published: 2026-03-27 09:31 – Updated: 2026-06-30 03:36Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.
{
"affected": [],
"aliases": [
"CVE-2026-27857"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-27T09:16:19Z",
"severity": "MODERATE"
},
"details": "Sending \"NOOP (((...)))\" command with 4000 parenthesis open+close results in ~1MB extra memory usage. Longer commands will result in client disconnection. This 1 MB can be left allocated for longer time periods by not sending the command ending LF. So attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Attacker could connect possibly from even a single IP and create 1000 connections to allocate 1 GB of memory, which would likely result in reaching VSZ limit and killing the process and its other proxied connections. Install fixed version, there is no other remediation. No publicly available exploits are known.",
"id": "GHSA-j26c-8p6m-gpfj",
"modified": "2026-06-30T03:36:03Z",
"published": "2026-03-27T09:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27857"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27857.json"
},
{
"type": "WEB",
"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452179"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-27857"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26564"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19453"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19364"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19149"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18053"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17630"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17628"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17626"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17625"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17602"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13857"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13830"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13498"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J26W-F9RQ-MR2Q
Vulnerability from github – Published: 2024-10-14 15:30 – Updated: 2025-11-03 21:31Description There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Vulnerability details The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server. The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds. The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.
Impact Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.
Patches The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.
Patched releases:
- 9.4.54
- 10.0.18
- 11.0.18
- 12.0.3
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.ee10:jetty-ee10-servlets"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.ee8:jetty-ee8-servlets"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.ee9:jetty-ee9-servlets"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-servlets"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.4.54"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-servlets"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-servlets"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9823"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-14T21:14:31Z",
"nvd_published_at": "2024-10-14T15:15:14Z",
"severity": "MODERATE"
},
"details": "Description\nThere exists a security vulnerability in Jetty\u0027s DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server\u0027s memory finally.\n\n\nVulnerability details\nThe Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server. The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds. The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.\n\n\nImpact\nUsers of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.\n\n\nPatches\nThe DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.\n\n\nPatched releases:\n\n * 9.4.54\n * 10.0.18\n * 11.0.18\n * 12.0.3",
"id": "GHSA-j26w-f9rq-mr2q",
"modified": "2025-11-03T21:31:16Z",
"published": "2024-10-14T15:30:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9823"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/issues/1256"
},
{
"type": "PACKAGE",
"url": "https://github.com/jetty/jetty.project"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250306-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Eclipse Jetty has a denial of service vulnerability on DosFilter"
}
GHSA-J27P-HQ53-9WGC
Vulnerability from github – Published: 2026-02-18 00:51 – Updated: 2026-03-05 21:59Summary
URL-backed media fetch handling allocated the entire response payload in memory (arrayBuffer) before enforcing maxBytes, allowing oversized responses to cause memory exhaustion.
Affected Versions
openclaw(npm): <2026.2.14clawdbot(npm): <=2026.1.24-3
Patched Versions
openclaw(npm):2026.2.14
Fix Commit
openclaw/openclawmain:00a08908892d1743d1fc52e5cbd9499dd5da2fe0
Details
Affected component:
- src/media/input-files.ts (fetchWithGuard)
When content-length is missing or incorrect, reading the body via response.arrayBuffer() buffers the full payload before a size check can run.
Proof of Concept
- Configure URL-based media input.
- Serve a response larger than
maxBytes(chunked transfer / nocontent-length). - Trigger the
fetchWithGuardURL fetch path.
Example local server (large response):
node -e 'require("http").createServer((_,res)=>{res.writeHead(200,{"content-type":"application/octet-stream"});for(let i=0;i<1024;i++)res.write(Buffer.alloc(1024*64));res.end();}).listen(18888)'
Impact
Availability loss via memory pressure from attacker-controlled remote media responses.
Mitigation
Until a patched release is available, disable URL-backed media inputs (or restrict to a tight hostname allowlist) and use conservative maxBytes limits.
Credits
Reported by @vincentkoc.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29609"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T00:51:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nURL-backed media fetch handling allocated the entire response payload in memory (`arrayBuffer`) before enforcing `maxBytes`, allowing oversized responses to cause memory exhaustion.\n\n### Affected Versions\n- `openclaw` (npm): \u003c `2026.2.14`\n- `clawdbot` (npm): \u003c= `2026.1.24-3`\n\n### Patched Versions\n- `openclaw` (npm): `2026.2.14`\n\n### Fix Commit\n- `openclaw/openclaw` `main`: `00a08908892d1743d1fc52e5cbd9499dd5da2fe0`\n\n### Details\nAffected component:\n- `src/media/input-files.ts` (`fetchWithGuard`)\n\nWhen `content-length` is missing or incorrect, reading the body via `response.arrayBuffer()` buffers the full payload before a size check can run.\n\n### Proof of Concept\n1. Configure URL-based media input.\n2. Serve a response larger than `maxBytes` (chunked transfer / no `content-length`).\n3. Trigger the `fetchWithGuard` URL fetch path.\n\nExample local server (large response):\n```bash\nnode -e \u0027require(\"http\").createServer((_,res)=\u003e{res.writeHead(200,{\"content-type\":\"application/octet-stream\"});for(let i=0;i\u003c1024;i++)res.write(Buffer.alloc(1024*64));res.end();}).listen(18888)\u0027\n```\n\n### Impact\nAvailability loss via memory pressure from attacker-controlled remote media responses.\n\n### Mitigation\nUntil a patched release is available, disable URL-backed media inputs (or restrict to a tight hostname allowlist) and use conservative `maxBytes` limits.\n\n### Credits\nReported by @vincentkoc.",
"id": "GHSA-j27p-hq53-9wgc",
"modified": "2026-03-05T21:59:50Z",
"published": "2026-02-18T00:51:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw affected by denial of service via unbounded URL-backed media fetch"
}
GHSA-J2F2-FP4Q-V86P
Vulnerability from github – Published: 2023-11-15 00:31 – Updated: 2023-11-15 00:31Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.
{
"affected": [],
"aliases": [
"CVE-2023-45622"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T23:15:10Z",
"severity": "HIGH"
},
"details": "Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point.\n\n",
"id": "GHSA-j2f2-fp4q-v86p",
"modified": "2023-11-15T00:31:08Z",
"published": "2023-11-15T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45622"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-017.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2FC-V5XJ-H5GR
Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-06-03 21:30Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.
{
"affected": [],
"aliases": [
"CVE-2026-36605"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T18:16:21Z",
"severity": "MODERATE"
},
"details": "Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover.",
"id": "GHSA-j2fc-v5xj-h5gr",
"modified": "2026-06-03T21:30:29Z",
"published": "2026-06-03T18:33:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36605"
},
{
"type": "WEB",
"url": "https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36605.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J2MV-RMHW-VQ9M
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.
{
"affected": [],
"aliases": [
"CVE-2010-3858"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-11-30T21:38:00Z",
"severity": "MODERATE"
},
"details": "The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.",
"id": "GHSA-j2mv-rmhw-vq9m",
"modified": "2022-05-13T01:23:34Z",
"published": "2022-05-13T01:23:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3858"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=645222"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1b528181b2ffa14721fb28ad1bd539fe1732c583"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1b528181b2ffa14721fb28ad1bd539fe1732c583"
},
{
"type": "WEB",
"url": "http://grsecurity.net/~spender/64bit_dos.c"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42758"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42789"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/46397"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-2126"
},
{
"type": "WEB",
"url": "http://www.exploit-db.com/exploits/15619"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.36"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:257"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/10/21/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2010/10/22/4"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0958.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0004.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/44301"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1041-1"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0024"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0070"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J2X4-HPHX-H7RG
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28Trend Micro Antivirus for Mac 2021 (Consumer) is vulnerable to a memory exhaustion vulnerability that could lead to disabling all the scanning functionality within the application.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability – i.e. the attacker must already have access to the target system (either legitimately or via another exploit).
{
"affected": [],
"aliases": [
"CVE-2021-25227"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-04T20:15:00Z",
"severity": "LOW"
},
"details": "Trend Micro Antivirus for Mac 2021 (Consumer) is vulnerable to a memory exhaustion vulnerability that could lead to disabling all the scanning functionality within the application.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability \u2013 i.e. the attacker must already have access to the target system (either legitimately or via another exploit).",
"id": "GHSA-j2x4-hphx-h7rg",
"modified": "2022-05-24T22:28:43Z",
"published": "2022-05-24T22:28:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25227"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10191"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-102"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J32J-2HXV-RQF7
Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2023-10-19 18:45pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.9"
},
"package": {
"ecosystem": "npm",
"name": "libpq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.0"
},
"package": {
"ecosystem": "npm",
"name": "pg-native"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25852"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-704"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-20T22:28:59Z",
"nvd_published_at": "2022-06-17T20:15:00Z",
"severity": "HIGH"
},
"details": "pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm\u0027s libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm\u0027s libpq.",
"id": "GHSA-j32j-2hxv-rqf7",
"modified": "2023-10-19T18:45:44Z",
"published": "2022-06-18T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25852"
},
{
"type": "WEB",
"url": "https://github.com/brianc/node-libpq/issues/84"
},
{
"type": "WEB",
"url": "https://github.com/brianc/node-libpq/pull/86"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-LIBPQ-2392366"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-PGNATIVE-2392365"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "pg-native and libpq vulnerable to uncontrolled resource consumption"
}
GHSA-J32X-J8PJ-PG2H
Vulnerability from github – Published: 2021-04-13 15:20 – Updated: 2021-03-22 22:36This affects all versions of package decal. The vulnerability is in the extend function.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "decal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28450"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-400",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-22T22:36:42Z",
"nvd_published_at": "2021-02-04T15:15:00Z",
"severity": "HIGH"
},
"details": "This affects all versions of package decal. The vulnerability is in the extend function.",
"id": "GHSA-j32x-j8pj-pg2h",
"modified": "2021-03-22T22:36:42Z",
"published": "2021-04-13T15:20:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28450"
},
{
"type": "WEB",
"url": "https://github.com/gigafied/decal.js/blob/master/src/utils/extend.js#L23-L56"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DECAL-1051028"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/decal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in decal"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.