CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-JX4R-QC68-XJR5
Vulnerability from github – Published: 2022-04-21 01:42 – Updated: 2024-04-23 09:30The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.
{
"affected": [],
"aliases": [
"CVE-2002-20001"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-11T19:15:00Z",
"severity": "HIGH"
},
"details": "The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.",
"id": "GHSA-jx4r-qc68-xjr5",
"modified": "2024-04-23T09:30:46Z",
"published": "2022-04-21T01:42:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-20001"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/ssl-config-generator/issues/162"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"
},
{
"type": "WEB",
"url": "https://dheatattack.com"
},
{
"type": "WEB",
"url": "https://dheatattack.gitlab.io"
},
{
"type": "WEB",
"url": "https://github.com/Balasys/dheater"
},
{
"type": "WEB",
"url": "https://gitlab.com/dheatattack/dheater"
},
{
"type": "WEB",
"url": "https://ieeexplore.ieee.org/document/10374117"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K83120834"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
},
{
"type": "WEB",
"url": "https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration"
},
{
"type": "WEB",
"url": "https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange"
},
{
"type": "WEB",
"url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol"
},
{
"type": "WEB",
"url": "https://www.suse.com/support/kb/doc/?id=000020510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JX85-PCWQ-C9WC
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-28 00:00An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.
{
"affected": [],
"aliases": [
"CVE-2021-22187"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.",
"id": "GHSA-jx85-pcwq-c9wc",
"modified": "2022-05-28T00:00:21Z",
"published": "2022-05-24T17:43:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22187"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22187.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/300452"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JX9P-PJG4-8CMJ
Vulnerability from github – Published: 2022-05-14 03:35 – Updated: 2022-05-14 03:35Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C30, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, TE60 V100R001C01, V100R001C10, V100R003C00, V500R002C00, V600R006C00, TP3106 V100R001C06, V100R002C00, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eCNS210_TD V100R004C10, eSpace U1981 V200R003C30 have a DoS vulnerability caused by memory exhaustion in some Huawei products. For lacking of adequate input validation, attackers can craft and send some malformed messages to the target device to exhaust the memory of the device and cause a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2017-15323"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-09T21:29:00Z",
"severity": "MODERATE"
},
"details": "Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C30, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, TE60 V100R001C01, V100R001C10, V100R003C00, V500R002C00, V600R006C00, TP3106 V100R001C06, V100R002C00, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eCNS210_TD V100R004C10, eSpace U1981 V200R003C30 have a DoS vulnerability caused by memory exhaustion in some Huawei products. For lacking of adequate input validation, attackers can craft and send some malformed messages to the target device to exhaust the memory of the device and cause a Denial of Service (DoS).",
"id": "GHSA-jx9p-pjg4-8cmj",
"modified": "2022-05-14T03:35:06Z",
"published": "2022-05-14T03:35:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15323"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171201-01-pse-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXG6-FHWC-9V9C
Vulnerability from github – Published: 2021-04-13 15:19 – Updated: 2021-03-23 19:29This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "es6-crawler-detect"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28501"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-23T19:29:27Z",
"nvd_published_at": "2021-03-22T12:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.",
"id": "GHSA-jxg6-fhwc-9v9c",
"modified": "2021-03-23T19:29:27Z",
"published": "2021-04-13T15:19:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28501"
},
{
"type": "WEB",
"url": "https://github.com/JefferyHus/es6-crawler-detect/pull/27"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ES6CRAWLERDETECT-1051529"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service (ReDoS) in es6-crawler-detect"
}
GHSA-JXHC-Q857-3J6G
Vulnerability from github – Published: 2021-07-12 16:58 – Updated: 2026-04-06 23:12Impact
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.
Patches
The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.
Workarounds
The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
References
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
- https://www.regular-expressions.info/catastrophic.html
For more information
If you have any questions or comments about this advisory: * Open an issue
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "addressable"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32740"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-06T15:25:32Z",
"nvd_published_at": "2021-07-06T15:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n\n### Patches\n\nThe vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.\n\n### Workarounds\n\nThe vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.\n\n### References\n\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://www.regular-expressions.info/catastrophic.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/sporkmonger/addressable/issues)",
"id": "GHSA-jxhc-q857-3j6g",
"modified": "2026-04-06T23:12:46Z",
"published": "2021-07-12T16:58:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/89c76130ce255c601f642a018cb5fb5a80e679a7"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/92685096b1f7235ed8986c03ce30a24972eed848#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/addressable/CVE-2021-32740.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sporkmonger/addressable"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in Addressable templates"
}
GHSA-JXP3-8J73-7X4P
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38A vulnerability in telnetd service on Junos OS allows a remote attacker to cause a limited memory and/or CPU consumption denial of service attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D45; 12.3X48 prior to 12.3X48-D30; 14.1 prior to 14.1R4-S9, 14.1R8; 14.2 prior to 14.2R6; 15.1 prior to 15.1F5, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53 prior to 15.1X53-D232, 15.1X53-D47.
{
"affected": [],
"aliases": [
"CVE-2017-10614"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-13T17:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in telnetd service on Junos OS allows a remote attacker to cause a limited memory and/or CPU consumption denial of service attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D45; 12.3X48 prior to 12.3X48-D30; 14.1 prior to 14.1R4-S9, 14.1R8; 14.2 prior to 14.2R6; 15.1 prior to 15.1F5, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53 prior to 15.1X53-D232, 15.1X53-D47.",
"id": "GHSA-jxp3-8j73-7x4p",
"modified": "2022-05-13T01:38:22Z",
"published": "2022-05-13T01:38:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10614"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10817"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JXQQ-CQM6-PFQ9
Vulnerability from github – Published: 2018-07-24 20:06 – Updated: 2020-08-31 18:26Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.
The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,
About 50k characters can block the event loop for 2 seconds.
Recommendation
Update to version 0.9.2 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.1"
},
"package": {
"ecosystem": "npm",
"name": "slug"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16117"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:44:29Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of `slug` are vulnerable to a regular expression denial of service when parsing untrusted user input.\n\nThe issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,\n\nAbout 50k characters can block the event loop for 2 seconds.\n\n\n## Recommendation\n\nUpdate to version 0.9.2 or later.",
"id": "GHSA-jxqq-cqm6-pfq9",
"modified": "2020-08-31T18:26:54Z",
"published": "2018-07-24T20:06:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16117"
},
{
"type": "WEB",
"url": "https://github.com/dodo/node-slug/issues/82"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jxqq-cqm6-pfq9"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/537"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Regular Expression Denial of Service in slug"
}
GHSA-JXWC-XXJW-356X
Vulnerability from github – Published: 2026-04-02 21:32 – Updated: 2026-04-04 00:31Hirschmann Industrial IT products contain a heap overflow vulnerability in the HiLCOS web interface that allows unauthenticated remote attackers to trigger a denial-of-service condition by sending specially crafted requests to the web interface. Attackers can exploit this heap overflow to crash the affected device and cause service disruption, particularly in configurations where the Public Spot functionality is enabled.
{
"affected": [],
"aliases": [
"CVE-2024-14033"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T21:16:39Z",
"severity": "HIGH"
},
"details": "Hirschmann Industrial IT products contain a heap overflow vulnerability in the HiLCOS web interface that allows unauthenticated remote attackers to trigger a denial-of-service condition by sending specially crafted requests to the web interface. Attackers can exploit this heap overflow to crash the affected device and cause service disruption, particularly in configurations where the Public Spot functionality is enabled.",
"id": "GHSA-jxwc-xxjw-356x",
"modified": "2026-04-04T00:31:25Z",
"published": "2026-04-02T21:32:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-14033"
},
{
"type": "WEB",
"url": "https://assets.belden.com/m/774d24c02be5c220/original/Belden_Security_Bulletin_BSECV-2024-16.pdf"
},
{
"type": "WEB",
"url": "https://ssd-disclosure.com/ssd-advisory-lancom-lcos-heap-overflow"
},
{
"type": "WEB",
"url": "https://www.belden.com/security"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hirschmann-industrial-it-hilcos-heap-overflow-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JXWX-85VP-GVWM
Vulnerability from github – Published: 2021-01-13 18:21 – Updated: 2023-08-31 18:34The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation.
The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)
This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jquery-validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "jQuery.Validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21252"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-13T18:21:42Z",
"nvd_published_at": "2021-01-13T19:15:00Z",
"severity": "HIGH"
},
"details": "The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation.\n\nThe project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)\n\nThis issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).",
"id": "GHSA-jxwx-85vp-gvwm",
"modified": "2023-08-31T18:34:36Z",
"published": "2021-01-13T18:21:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21252"
},
{
"type": "WEB",
"url": "https://github.com/jquery-validation/jquery-validation/pull/2371"
},
{
"type": "WEB",
"url": "https://github.com/jquery-validation/jquery-validation/commit/5d8f29eef363d043a8fec4eb86d42cadb5fa5f7d"
},
{
"type": "PACKAGE",
"url": "https://github.com/jquery-validation/jquery-validation"
},
{
"type": "WEB",
"url": "https://jqueryvalidation.org/#installation-via-package-managers"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210219-0005"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-294-redos-jquery-validation"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/jquery-validation"
},
{
"type": "WEB",
"url": "https://www.nuget.org/packages/jquery.validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in jquery-validation"
}
GHSA-JXXR-4GWJ-5JF2
Vulnerability from github – Published: 2026-05-18 16:22 – Updated: 2026-06-09 10:32The max option was being applied too late:
When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.
Workaround
Ensure the string to be expanded doesn't contain more values than the desired max item count.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "brace-expansion"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45149"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T16:22:01Z",
"nvd_published_at": "2026-05-29T20:16:25Z",
"severity": "MODERATE"
},
"details": "The `max` option was being applied too late:\n\nWhen expanding a single large numeric range like `{1..10000000}`, the sequence generation loop generates all 10 million intermediate elements before the `max` limit is applied With `max=10`, the output is correctly limited to 10 items, but the process still allocates `~505 MB` and spends `~800ms` building the full intermediate array.\n\n### Workaround\n\nEnsure the string to be expanded doesn\u0027t contain more values than the desired `max` item count.",
"id": "GHSA-jxxr-4gwj-5jf2",
"modified": "2026-06-09T10:32:28Z",
"published": "2026-05-18T16:22:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149"
},
{
"type": "WEB",
"url": "https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/juliangruber/brace-expansion"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "brace-expansion: Large numeric range defeats documented `max` DoS protection"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.