CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5417 vulnerabilities reference this CWE, most recent first.
GHSA-MMVP-2HG2-G76C
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29A vulnerability in Cisco Aironet Access Point (AP) Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper handling of clients that are trying to connect to the AP. An attacker could exploit this vulnerability by sending authentication requests from multiple clients to an affected device. A successful exploit could allow the attacker to cause the affected device to reload.
{
"affected": [],
"aliases": [
"CVE-2020-3559"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-24T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco Aironet Access Point (AP) Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to improper handling of clients that are trying to connect to the AP. An attacker could exploit this vulnerability by sending authentication requests from multiple clients to an affected device. A successful exploit could allow the attacker to cause the affected device to reload.",
"id": "GHSA-mmvp-2hg2-g76c",
"modified": "2022-05-24T17:29:30Z",
"published": "2022-05-24T17:29:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3559"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aironet-dos-h3DCuLXw"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MMWX-RJ87-VFGR
Vulnerability from github – Published: 2024-07-22 14:46 – Updated: 2024-11-18 16:26Impact
Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.
Patches
Users should upgrade to dnsjava v3.6.0
Workarounds
Although not recommended, only using a non-validating resolver, will remove the vulnerability.
References
https://www.athene-center.de/en/keytrap
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "dnsjava:dnsjava"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.6.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jitsi:dnssecjava"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-22T14:46:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nUsers using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.\n\n### Patches\nUsers should upgrade to dnsjava v3.6.0\n\n### Workarounds\nAlthough not recommended, only using a non-validating resolver, will remove the vulnerability.\n\n### References\nhttps://www.athene-center.de/en/keytrap\n",
"id": "GHSA-mmwx-rj87-vfgr",
"modified": "2024-11-18T16:26:54Z",
"published": "2024-07-22T14:46:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868"
},
{
"type": "WEB",
"url": "https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-pv4h-p8jr-6cv2"
},
{
"type": "PACKAGE",
"url": "https://github.com/dnsjava/dnsjava"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources"
}
GHSA-MMXM-8W33-WC4H
Vulnerability from github – Published: 2025-08-20 20:52 – Updated: 2025-11-05 20:40Technical Details
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.”
MadeYouReset Vulnerability Summary
The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.
Mechanism
The vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame). The vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are: 1. WINDOW_UPDATE frame with an increment of 0 or an increment that makes the window exceed 2^31 - 1. (section 6.9 + 6.9.1) 2. HEADERS or DATA frames sent on a half-closed (remote) stream (which was closed using the END_STREAM flag). (note that for some implementations it's possible a CONTINUATION frame to trigger that as well - but it's very rare). (Section 5.1) 3. PRIORITY frame with a length other than 5. (section 6.3) From our experience, the primitives are likely to exist in the decreasing order listed above. Note that based on the implementation of the library, other primitives (which are not defined by the RFC) might exist - meaning scenarios in which RST_STREAM is not supposed to be sent, but in the implementation it does. On the other hand - some RFC-defined primitives might not work, even though they are defined by the RFC (as some implementations are not fully complying with RFC). For example, some implementations we’ve seen discard the PRIORITY frame - and thus does not return RST_STREAM, and some implementations send GO_AWAY when receiving a WINDOW_UPDATE frame with increment of 0.
The vulnerability takes advantage of a design flaw in the HTTP/2 protocol - While HTTP/2 has a limit on the number of concurrently active streams per connection (which is usually 100, and is set by the parameter SETTINGS_MAX_CONCURRENT_STREAMS), the number of active streams is not counted correctly - when a stream is reset, it is immediately considered not active, and thus unaccounted for in the active streams counter. While the protocol does not count those streams as active, the server’s backend logic still processes and handles the requests that were canceled.
Thus, the attacker can exploit this vulnerability to cause the server to handle an unbounded number of concurrent streams from a client on the same connection. The exploitation is very simple: the client issues a request in a stream, and then sends the control frame that causes the server to send a RST_STREAM.
Attack Flow
For example, a possible attack scenario can be:
1. Attacker opens an HTTP/2 connection to the server.
2. Attacker sends HEADERS frame with END_STREAM flag on a new stream X.
3. Attacker sends WINDOW_UPDATE for stream X with flow-control window of 0.
4. The server receives the WINDOW_UPDATE and immediately sends RST_STREAM for stream X to the client (+ decreases the active streams counter by 1).
The attacker can repeat steps 2+3 as rapidly as it is capable, since the active streams counter never exceeds 1 and the attacker does not need to wait for the response from the server. This leads to resource exhaustion and distributed denial of service vulnerabilities with an impact of: CPU overload and/or memory exhaustion (implementation dependant)
Comparison to Rapid Reset
The vulnerability takes advantage of a design flow in the HTTP/2 protocol that was also used in the Rapid Reset vulnerability (CVE-2023-44487) which was exploited as a zero-day in the wild in August 2023 to October 2023, against multiple services and vendors. The Rapid Reset vulnerability uses RST_STREAM frames sent from the client, in order to create an unbounded amount of concurrent streams - it was given a CVSS score of 7.5. Rapid Reset was mostly mitigated by limiting the number/rate of RST_STREAM sent from the client, which does not mitigate the MadeYouReset attack - since it triggers the server to send a RST_STREAM.
Suggested Mitigations for MadeYouReset
A quick and easy mitigation will be to limit the number/rate of RST_STREAMs sent from the server. It is also possible to limit the number/rate of control frames sent by the client (e.g. WINDOW_UPDATE and PRIORITY), and treat protocol flow errors as a connection error.
As mentioned in our previous message, this is a protocol-level vulnerability that affects multiple vendors and implementations. Given its broad impact, it is the shared responsibility of all parties involved to handle the disclosure process carefully and coordinate mitigations effectively.
If you have any questions, we will be happy to clarify or schedule a Zoom call.
Gal, Anat and Yaniv.
Jetty's Team Notes
Impact
A denial of service vulnerability similar to Rapid Reset, but where the client triggers a reset from the server by sending a malformed or invalid frame.
In particular, this may be triggered by WINDOW_UPDATE frames that are invalid (e.g. with delta==0 or when the delta makes the window exceed 2^31-1).
Patches
Patch has been merged into 12.0.x mainline via https://github.com/jetty/jetty.project/pull/13449.
Workarounds
No workarounds apart disabling HTTP/2.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.4.57"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.http2:http2-common"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "9.4.58"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.25"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.http2:http2-common"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.0.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.25"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.http2:http2-common"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.0.24"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.http2:jetty-http2-common"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.0.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.1.0.beta2"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty.http2:jetty-http2-common"
},
"ranges": [
{
"events": [
{
"introduced": "12.1.0.alpha0"
},
{
"fixed": "12.1.0.beta3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5115"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-20T20:52:17Z",
"nvd_published_at": "2025-08-20T20:15:33Z",
"severity": "HIGH"
},
"details": "## Technical Details \nBelow is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as \u201cMadeYouReset.\u201d\n\n### MadeYouReset Vulnerability Summary\nThe MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.\n\n### Mechanism\nThe vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame). \nThe vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are:\n1. WINDOW_UPDATE frame with an increment of 0 or an increment that makes the window exceed 2^31 - 1. (section 6.9 + 6.9.1)\n2. HEADERS or DATA frames sent on a half-closed (remote) stream (which was closed using the END_STREAM flag). (note that for some implementations it\u0027s possible a CONTINUATION frame to trigger that as well - but it\u0027s very rare). (Section 5.1)\n3. PRIORITY frame with a length other than 5. (section 6.3)\nFrom our experience, the primitives are likely to exist in the decreasing order listed above.\nNote that based on the implementation of the library, other primitives (which are not defined by the RFC) might exist - meaning scenarios in which RST_STREAM is not supposed to be sent, but in the implementation it does. On the other hand - some RFC-defined primitives might not work, even though they are defined by the RFC (as some implementations are not fully complying with RFC). For example, some implementations we\u2019ve seen discard the PRIORITY frame - and thus does not return RST_STREAM, and some implementations send GO_AWAY when receiving a WINDOW_UPDATE frame with increment of 0.\n\nThe vulnerability takes advantage of a design flaw in the HTTP/2 protocol - While HTTP/2 has a limit on the number of concurrently active streams per connection (which is usually 100, and is set by the parameter SETTINGS_MAX_CONCURRENT_STREAMS), the number of active streams is not counted correctly - when a stream is reset, it is immediately considered not active, and thus unaccounted for in the active streams counter. \nWhile the protocol does not count those streams as active, the server\u2019s backend logic still processes and handles the requests that were canceled.\n\nThus, the attacker can exploit this vulnerability to cause the server to handle an unbounded number of concurrent streams from a client on the same connection. The exploitation is very simple: the client issues a request in a stream, and then sends the control frame that causes the server to send a RST_STREAM.\n\n### Attack Flow\nFor example, a possible attack scenario can be: \n1. Attacker opens an HTTP/2 connection to the server.\n2. Attacker sends HEADERS frame with END_STREAM flag on a new stream X. \n3. Attacker sends WINDOW_UPDATE for stream X with flow-control window of 0.\n4. The server receives the WINDOW_UPDATE and immediately sends RST_STREAM for stream X to the client (+ decreases the active streams counter by 1).\n\nThe attacker can repeat steps 2+3 as rapidly as it is capable, since the active streams counter never exceeds 1 and the attacker does not need to wait for the response from the server.\nThis leads to resource exhaustion and distributed denial of service vulnerabilities with an impact of: CPU overload and/or memory exhaustion (implementation dependant)\n\n### Comparison to Rapid Reset\nThe vulnerability takes advantage of a design flow in the HTTP/2 protocol that was also used in the Rapid Reset vulnerability (CVE-2023-44487) which was exploited as a zero-day in the wild in August 2023 to October 2023, against multiple services and vendors.\nThe Rapid Reset vulnerability uses RST_STREAM frames sent from the client, in order to create an unbounded amount of concurrent streams - it was given a CVSS score of 7.5.\nRapid Reset was mostly mitigated by limiting the number/rate of RST_STREAM sent from the client, which does not mitigate the MadeYouReset attack - since it triggers the server to send a RST_STREAM.\n\n### Suggested Mitigations for MadeYouReset\nA quick and easy mitigation will be to limit the number/rate of RST_STREAMs sent from the server.\nIt is also possible to limit the number/rate of control frames sent by the client (e.g. WINDOW_UPDATE and PRIORITY), and treat protocol flow errors as a connection error.\n\nAs mentioned in our previous message, this is a protocol-level vulnerability that affects multiple vendors and implementations. Given its broad impact, it is the shared responsibility of all parties involved to handle the disclosure process carefully and coordinate mitigations effectively.\n\n\nIf you have any questions, we will be happy to clarify or schedule a Zoom call.\n\nGal, Anat and Yaniv.\n\n\n\n## Jetty\u0027s Team Notes\n\n### Impact\nA denial of service vulnerability similar to [Rapid Reset](https://github.com/jetty/jetty.project/security/advisories/GHSA-c745-7wm4-7738), but where the client triggers a reset from the server by sending a malformed or invalid frame.\nIn particular, this may be triggered by WINDOW_UPDATE frames that are invalid (e.g. with `delta==0` or when the delta makes the window exceed `2^31-1`).\n\n### Patches\nPatch has been merged into 12.0.x mainline via https://github.com/jetty/jetty.project/pull/13449.\n\n### Workarounds\nNo workarounds apart disabling HTTP/2.",
"id": "GHSA-mmxm-8w33-wc4h",
"modified": "2025-11-05T20:40:34Z",
"published": "2025-08-20T20:52:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5115"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/pull/13449"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/commit/f9ee3904788b08203ed62c95a560d951da37bdb1"
},
{
"type": "PACKAGE",
"url": "https://github.com/jetty/jetty.project"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-10.0.26"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-11.0.26"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.25"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-12.1.0"
},
{
"type": "WEB",
"url": "https://github.com/jetty/jetty.project/releases/tag/jetty-9.4.58.v20250814"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00014.html"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/767506"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/20/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/17/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability"
}
GHSA-MMXR-6344-9FV5
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().
{
"affected": [],
"aliases": [
"CVE-2017-7521"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-415"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-27T13:29:00Z",
"severity": "MODERATE"
},
"details": "OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension().",
"id": "GHSA-mmxr-6344-9fv5",
"modified": "2022-05-13T01:47:00Z",
"published": "2022-05-13T01:47:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7521"
},
{
"type": "WEB",
"url": "https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3900"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99230"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP3C-Q886-FVQV
Vulnerability from github – Published: 2026-05-11 21:31 – Updated: 2026-05-12 21:31The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2026-43653"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T21:19:01Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5. An attacker on the local network may be able to cause a denial-of-service.",
"id": "GHSA-mp3c-q886-fvqv",
"modified": "2026-05-12T21:31:32Z",
"published": "2026-05-11T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43653"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127110"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127111"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127115"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/127118"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MP4C-VQQF-2QXG
Vulnerability from github – Published: 2022-01-21 00:00 – Updated: 2023-08-08 15:31Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4.
{
"affected": [],
"aliases": [
"CVE-2022-22820"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-20T12:15:00Z",
"severity": "MODERATE"
},
"details": "Due to the lack of media file checks before rendering, it was possible for an attacker to cause abnormal CPU consumption for message recipient by sending specially crafted gif image in LINE for Windows before 7.4.",
"id": "GHSA-mp4c-vqqf-2qxg",
"modified": "2023-08-08T15:31:37Z",
"published": "2022-01-21T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22820"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1357400"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP76-5XHH-VXVC
Vulnerability from github – Published: 2026-03-27 15:30 – Updated: 2026-03-27 15:30A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
{
"affected": [],
"aliases": [
"CVE-2026-28375"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-27T15:16:51Z",
"severity": "MODERATE"
},
"details": "A testdata data-source can be used to trigger out-of-memory crashes in Grafana.",
"id": "GHSA-mp76-5xhh-vxvc",
"modified": "2026-03-27T15:30:25Z",
"published": "2026-03-27T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28375"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-28375"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPCF-4GMH-23W8
Vulnerability from github – Published: 2018-07-24 20:16 – Updated: 2023-09-11 22:05Affected versions of forwarded are vulnerable to regular expression denial of service when parsing specially crafted user input.
Recommendation
Update to version 0.1.2 or later
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "forwarded"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16118"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:46:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of `forwarded` are vulnerable to regular expression denial of service when parsing specially crafted user input.\n\n\n## Recommendation\n\nUpdate to version 0.1.2 or later",
"id": "GHSA-mpcf-4gmh-23w8",
"modified": "2023-09-11T22:05:14Z",
"published": "2018-07-24T20:16:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16118"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-mpcf-4gmh-23w8"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/527"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in forwarded"
}
GHSA-MPFC-53HR-W2MG
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2024-04-04 02:50An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.
{
"affected": [],
"aliases": [
"CVE-2020-13114"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-21T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.",
"id": "GHSA-mpfc-53hr-w2mg",
"modified": "2024-04-04T02:50:53Z",
"published": "2022-05-24T17:18:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13114"
},
{
"type": "WEB",
"url": "https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00025.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-05"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4396-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00017.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPG4-RC92-VX8V
Vulnerability from github – Published: 2024-07-29 17:46 – Updated: 2024-10-11 14:13Summary
A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team.
Details
https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex
PoC
pass the following string '\t'.repeat(13337) + '.'
Impact
Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library
https://gauss-security.com
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.5"
},
{
"fixed": "4.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-41818"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-29T17:46:16Z",
"nvd_published_at": "2024-07-29T16:15:05Z",
"severity": "HIGH"
},
"details": "### Summary\nA ReDOS that exists on currency.js was discovered by Gauss Security Labs R\u0026D team.\n\n### Details\nhttps://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex \n\n### PoC\npass the following string \u0027\\t\u0027.repeat(13337) + \u0027.\u0027\n\n### Impact\nDenial of service during currency parsing in experimental version 5 of fast-xml-parser-library\n\nhttps://gauss-security.com",
"id": "GHSA-mpg4-rc92-vx8v",
"modified": "2024-10-11T14:13:07Z",
"published": "2024-07-29T17:46:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41818"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/ba5f35e7680468acd7906eaabb2f69e28ed8b2aa"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "fast-xml-parser vulnerable to ReDOS at currency parsing"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.