Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-JX4R-QC68-XJR5

Vulnerability from github – Published: 2022-04-21 01:42 – Updated: 2024-04-23 09:30
VLAI
Details

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2002-20001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-11T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.",
  "id": "GHSA-jx4r-qc68-xjr5",
  "modified": "2024-04-23T09:30:46Z",
  "published": "2022-04-21T01:42:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-20001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/ssl-config-generator/issues/162"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf"
    },
    {
      "type": "WEB",
      "url": "https://dheatattack.com"
    },
    {
      "type": "WEB",
      "url": "https://dheatattack.gitlab.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Balasys/dheater"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/dheatattack/dheater"
    },
    {
      "type": "WEB",
      "url": "https://ieeexplore.ieee.org/document/10374117"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K83120834"
    },
    {
      "type": "WEB",
      "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration"
    },
    {
      "type": "WEB",
      "url": "https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange"
    },
    {
      "type": "WEB",
      "url": "https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol"
    },
    {
      "type": "WEB",
      "url": "https://www.suse.com/support/kb/doc/?id=000020510"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JX85-PCWQ-C9WC

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-28 00:00
VLAI
Details

An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted.",
  "id": "GHSA-jx85-pcwq-c9wc",
  "modified": "2022-05-28T00:00:21Z",
  "published": "2022-05-24T17:43:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22187"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22187.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/300452"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JX9P-PJG4-8CMJ

Vulnerability from github – Published: 2022-05-14 03:35 – Updated: 2022-05-14 03:35
VLAI
Details

Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C30, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, TE60 V100R001C01, V100R001C10, V100R003C00, V500R002C00, V600R006C00, TP3106 V100R001C06, V100R002C00, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eCNS210_TD V100R004C10, eSpace U1981 V200R003C30 have a DoS vulnerability caused by memory exhaustion in some Huawei products. For lacking of adequate input validation, attackers can craft and send some malformed messages to the target device to exhaust the memory of the device and cause a Denial of Service (DoS).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-09T21:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C30, Secospace USG6500 V500R001C00, V500R001C20, V500R001C30, TE60 V100R001C01, V100R001C10, V100R003C00, V500R002C00, V600R006C00, TP3106 V100R001C06, V100R002C00, VP9660 V200R001C02, V200R001C30, V500R002C00, V500R002C10, ViewPoint 8660 V100R008C03, ViewPoint 9030 V100R011C02, V100R011C03, eCNS210_TD V100R004C10, eSpace U1981 V200R003C30 have a DoS vulnerability caused by memory exhaustion in some Huawei products. For lacking of adequate input validation, attackers can craft and send some malformed messages to the target device to exhaust the memory of the device and cause a Denial of Service (DoS).",
  "id": "GHSA-jx9p-pjg4-8cmj",
  "modified": "2022-05-14T03:35:06Z",
  "published": "2022-05-14T03:35:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15323"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171201-01-pse-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXG6-FHWC-9V9C

Vulnerability from github – Published: 2021-04-13 15:19 – Updated: 2021-03-23 19:29
VLAI
Summary
Regular Expression Denial of Service (ReDoS) in es6-crawler-detect
Details

This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "es6-crawler-detect"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-23T19:29:27Z",
    "nvd_published_at": "2021-03-22T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package es6-crawler-detect before 3.1.3. No limitation of user agent string length supplied to regex operators.",
  "id": "GHSA-jxg6-fhwc-9v9c",
  "modified": "2021-03-23T19:29:27Z",
  "published": "2021-04-13T15:19:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JefferyHus/es6-crawler-detect/pull/27"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-ES6CRAWLERDETECT-1051529"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDoS) in es6-crawler-detect"
}

GHSA-JXHC-Q857-3J6G

Vulnerability from github – Published: 2021-07-12 16:58 – Updated: 2026-04-06 23:12
VLAI
Summary
Regular Expression Denial of Service in Addressable templates
Details

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

  • https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
  • https://cwe.mitre.org/data/definitions/1333.html
  • https://www.regular-expressions.info/catastrophic.html

For more information

If you have any questions or comments about this advisory: * Open an issue

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "addressable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-06T15:25:32Z",
    "nvd_published_at": "2021-07-06T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n\n### Patches\n\nThe vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.\n\n### Workarounds\n\nThe vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.\n\n### References\n\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://www.regular-expressions.info/catastrophic.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/sporkmonger/addressable/issues)",
  "id": "GHSA-jxhc-q857-3j6g",
  "modified": "2026-04-06T23:12:46Z",
  "published": "2021-07-12T16:58:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/commit/89c76130ce255c601f642a018cb5fb5a80e679a7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/commit/92685096b1f7235ed8986c03ce30a24972eed848#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/addressable/CVE-2021-32740.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sporkmonger/addressable"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in Addressable templates"
}

GHSA-JXP3-8J73-7X4P

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

A vulnerability in telnetd service on Junos OS allows a remote attacker to cause a limited memory and/or CPU consumption denial of service attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D45; 12.3X48 prior to 12.3X48-D30; 14.1 prior to 14.1R4-S9, 14.1R8; 14.2 prior to 14.2R6; 15.1 prior to 15.1F5, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53 prior to 15.1X53-D232, 15.1X53-D47.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-13T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in telnetd service on Junos OS allows a remote attacker to cause a limited memory and/or CPU consumption denial of service attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D45; 12.3X48 prior to 12.3X48-D30; 14.1 prior to 14.1R4-S9, 14.1R8; 14.2 prior to 14.2R6; 15.1 prior to 15.1F5, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53 prior to 15.1X53-D232, 15.1X53-D47.",
  "id": "GHSA-jxp3-8j73-7x4p",
  "modified": "2022-05-13T01:38:22Z",
  "published": "2022-05-13T01:38:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10614"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10817"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXQQ-CQM6-PFQ9

Vulnerability from github – Published: 2018-07-24 20:06 – Updated: 2020-08-31 18:26
VLAI
Summary
Regular Expression Denial of Service in slug
Details

Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.

The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,

About 50k characters can block the event loop for 2 seconds.

Recommendation

Update to version 0.9.2 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "slug"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:44:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Affected versions of `slug` are vulnerable to a regular expression denial of service when parsing untrusted user input.\n\nThe issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,\n\nAbout 50k characters can block the event loop for 2 seconds.\n\n\n## Recommendation\n\nUpdate to version 0.9.2 or later.",
  "id": "GHSA-jxqq-cqm6-pfq9",
  "modified": "2020-08-31T18:26:54Z",
  "published": "2018-07-24T20:06:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dodo/node-slug/issues/82"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jxqq-cqm6-pfq9"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/537"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in slug"
}

GHSA-JXWC-XXJW-356X

Vulnerability from github – Published: 2026-04-02 21:32 – Updated: 2026-04-04 00:31
VLAI
Details

Hirschmann Industrial IT products contain a heap overflow vulnerability in the HiLCOS web interface that allows unauthenticated remote attackers to trigger a denial-of-service condition by sending specially crafted requests to the web interface. Attackers can exploit this heap overflow to crash the affected device and cause service disruption, particularly in configurations where the Public Spot functionality is enabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-14033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-02T21:16:39Z",
    "severity": "HIGH"
  },
  "details": "Hirschmann Industrial IT products contain a heap overflow vulnerability in the HiLCOS web interface that allows unauthenticated remote attackers to trigger a denial-of-service condition by sending specially crafted requests to the web interface. Attackers can exploit this heap overflow to crash the affected device and cause service disruption, particularly in configurations where the Public Spot functionality is enabled.",
  "id": "GHSA-jxwc-xxjw-356x",
  "modified": "2026-04-04T00:31:25Z",
  "published": "2026-04-02T21:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-14033"
    },
    {
      "type": "WEB",
      "url": "https://assets.belden.com/m/774d24c02be5c220/original/Belden_Security_Bulletin_BSECV-2024-16.pdf"
    },
    {
      "type": "WEB",
      "url": "https://ssd-disclosure.com/ssd-advisory-lancom-lcos-heap-overflow"
    },
    {
      "type": "WEB",
      "url": "https://www.belden.com/security"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hirschmann-industrial-it-hilcos-heap-overflow-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JXWX-85VP-GVWM

Vulnerability from github – Published: 2021-01-13 18:21 – Updated: 2023-08-31 18:34
VLAI
Summary
Regular Expression Denial of Service in jquery-validation
Details

The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery-validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.19.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "jQuery.Validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.19.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-13T18:21:42Z",
    "nvd_published_at": "2021-01-13T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The GitHub Security Lab team has identified potential security vulnerabilities in jquery.validation.\n\nThe project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)\n\nThis issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).",
  "id": "GHSA-jxwx-85vp-gvwm",
  "modified": "2023-08-31T18:34:36Z",
  "published": "2021-01-13T18:21:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery-validation/jquery-validation/pull/2371"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery-validation/jquery-validation/commit/5d8f29eef363d043a8fec4eb86d42cadb5fa5f7d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jquery-validation/jquery-validation"
    },
    {
      "type": "WEB",
      "url": "https://jqueryvalidation.org/#installation-via-package-managers"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210219-0005"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-294-redos-jquery-validation"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/jquery-validation"
    },
    {
      "type": "WEB",
      "url": "https://www.nuget.org/packages/jquery.validation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in jquery-validation"
}

GHSA-JXXR-4GWJ-5JF2

Vulnerability from github – Published: 2026-05-18 16:22 – Updated: 2026-06-09 10:32
VLAI
Summary
brace-expansion: Large numeric range defeats documented `max` DoS protection
Details

The max option was being applied too late:

When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.

Workaround

Ensure the string to be expanded doesn't contain more values than the desired max item count.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T16:22:01Z",
    "nvd_published_at": "2026-05-29T20:16:25Z",
    "severity": "MODERATE"
  },
  "details": "The `max` option was being applied too late:\n\nWhen expanding a single large numeric range like `{1..10000000}`, the sequence generation loop generates all 10 million intermediate elements before the `max` limit is applied With `max=10`, the output is correctly limited to 10 items, but the process still allocates `~505 MB` and spends `~800ms` building the full intermediate array.\n\n### Workaround\n\nEnsure the string to be expanded doesn\u0027t contain more values than the desired `max` item count.",
  "id": "GHSA-jxxr-4gwj-5jf2",
  "modified": "2026-06-09T10:32:28Z",
  "published": "2026-05-18T16:22:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45149"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juliangruber/brace-expansion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "brace-expansion: Large numeric range defeats documented `max` DoS protection"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.