Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5435 vulnerabilities reference this CWE, most recent first.

GHSA-RH88-RF49-8C8F

Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2022-05-17 02:53
VLAI
Details

The __read_etc_hosts_r function in libc/inet/resolv.c in uClibc-ng before 1.0.12 allows remote DNS servers to cause a denial of service (infinite loop) via a crafted packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-24T15:59:00Z",
    "severity": "HIGH"
  },
  "details": "The __read_etc_hosts_r function in libc/inet/resolv.c in uClibc-ng before 1.0.12 allows remote DNS servers to cause a denial of service (infinite loop) via a crafted packet.",
  "id": "GHSA-rh88-rf49-8c8f",
  "modified": "2022-05-17T02:53:35Z",
  "published": "2022-05-17T02:53:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2225"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2016-2225"
    },
    {
      "type": "WEB",
      "url": "http://repo.or.cz/uclibc-ng.git/commit/6932f2282ba0578d6ca2f21eead920d6b78bc93c"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/05/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/02/05/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/82903"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHCW-WJCM-9H6G

Vulnerability from github – Published: 2022-02-09 00:54 – Updated: 2021-03-31 23:48
VLAI
Summary
Denial of service in Undertow
Details

A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-27782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-31T23:48:27Z",
    "nvd_published_at": "2021-02-23T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.",
  "id": "GHSA-rhcw-wjcm-9h6g",
  "modified": "2021-03-31T23:48:27Z",
  "published": "2022-02-09T00:54:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/pull/997/commits/98a9ab7f2d7fe7a7254eaf17d47816c452169c90"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1901304"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/UNDERTOW-1813"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service in Undertow"
}

GHSA-RHFH-M68W-RV9H

Vulnerability from github – Published: 2024-11-15 15:30 – Updated: 2024-11-15 15:30
VLAI
Details

A vulnerability in the local interface of Cisco BroadWorks Network Server could allow an unauthenticated, remote attacker to exhaust system resources, causing a denial of service (DoS) condition.

This vulnerability exists because rate limiting does not occur for certain incoming TCP connections. An attacker could exploit this vulnerability by sending a high rate of TCP connections to the server. A successful exploit could allow the attacker to cause TCP connection resources to grow rapidly until the Cisco BroadWorks Network Server becomes unusable. Note: To recover from this vulnerability, either Cisco BroadWorks Network Server software must be restarted or the Cisco BroadWorks Network Server node must be rebooted. For more information, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-15T15:15:05Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the local interface of Cisco BroadWorks Network Server could allow an unauthenticated, remote attacker to exhaust system resources, causing a denial of service (DoS) condition.\n\nThis vulnerability exists because rate limiting does not occur for certain incoming TCP connections. An attacker could exploit this vulnerability by sending a high rate of TCP connections to the server. A successful exploit could allow the attacker to cause TCP connection resources to grow rapidly until the Cisco BroadWorks Network Server becomes unusable.\nNote: To recover from this vulnerability, either Cisco BroadWorks Network Server software must be restarted or the Cisco BroadWorks Network Server node must be rebooted. For more information, see the  section of this advisory.\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.",
  "id": "GHSA-rhfh-m68w-rv9h",
  "modified": "2024-11-15T15:30:57Z",
  "published": "2024-11-15T15:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20125"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-tcp-dos-KEdJCxLs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHG6-3QW6-38PP

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-10-25 19:00
VLAI
Details

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a denial of service attack. This attack would not completely stop the service, but in the worst-case scenario, it can reduce the Tower performance, for which memcached is designed. Theoretically, more sophisticated attacks can be performed by manipulating and crafting the cache, as Tower relies on memcached as a place to pull out setting values. Confidential and sensitive data stored in memcached should not be pulled, as this information is encrypted. This flaw affects Ansible Tower versions before 3.6.4, Ansible Tower versions before 3.5.6 and Ansible Tower versions before 3.4.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-27T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a denial of service attack. This attack would not completely stop the service, but in the worst-case scenario, it can reduce the Tower performance, for which memcached is designed. Theoretically, more sophisticated attacks can be performed by manipulating and crafting the cache, as Tower relies on memcached as a place to pull out setting values. Confidential and sensitive data stored in memcached should not be pulled, as this information is encrypted. This flaw affects Ansible Tower versions before 3.6.4, Ansible Tower versions before 3.5.6 and Ansible Tower versions before 3.4.6.",
  "id": "GHSA-rhg6-3qw6-38pp",
  "modified": "2022-10-25T19:00:31Z",
  "published": "2022-05-24T19:03:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10697"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1818445"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHPC-FPH8-3VQM

Vulnerability from github – Published: 2024-02-29 03:33 – Updated: 2024-02-29 03:33
VLAI
Details

A vulnerability in system resource management in Cisco UCS 6400 and 6500 Series Fabric Interconnects that are in Intersight Managed Mode (IMM) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the Device Console UI of an affected device.

This vulnerability is due to insufficient rate-limiting of TCP connections to an affected device. An attacker could exploit this vulnerability by sending a high number of TCP packets to the Device Console UI. A successful exploit could allow an attacker to cause the Device Console UI process to crash, resulting in a DoS condition. A manual reload of the fabric interconnect is needed to restore complete functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20344"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-29T01:43:59Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in system resource management in Cisco UCS 6400 and 6500 Series Fabric Interconnects that are in Intersight Managed Mode (IMM) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the Device Console UI of an affected device.\n\n This vulnerability is due to insufficient rate-limiting of TCP connections to an affected device. An attacker could exploit this vulnerability by sending a high number of TCP packets to the Device Console UI. A successful exploit could allow an attacker to cause the Device Console UI process to crash, resulting in a DoS condition. A manual reload of the fabric interconnect is needed to restore complete functionality.",
  "id": "GHSA-rhpc-fph8-3vqm",
  "modified": "2024-02-29T03:33:17Z",
  "published": "2024-02-29T03:33:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20344"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucsfi-imm-syn-p6kZTDQC"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHR5-9WG9-P26F

Vulnerability from github – Published: 2025-10-31 09:30 – Updated: 2025-10-31 09:30
VLAI
Details

Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-31T09:15:47Z",
    "severity": "HIGH"
  },
  "details": "Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are known",
  "id": "GHSA-rhr5-9wg9-p26f",
  "modified": "2025-10-31T09:30:26Z",
  "published": "2025-10-31T09:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30188"
    },
    {
      "type": "WEB",
      "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0002.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHR7-G23X-PQH9

Vulnerability from github – Published: 2026-04-30 15:30 – Updated: 2026-04-30 18:30
VLAI
Details

A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-36958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T15:16:22Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.",
  "id": "GHSA-rhr7-g23x-pqh9",
  "modified": "2026-04-30T18:30:31Z",
  "published": "2026-04-30T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36958"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kirubel-cve/CVE-2026-36958"
    },
    {
      "type": "WEB",
      "url": "http://u-speed.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHV4-8758-JX7V

Vulnerability from github – Published: 2026-05-12 15:09 – Updated: 2026-05-12 15:09
VLAI
Summary
Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS
Details

Summary decimal doesn't bound the exponent on parsed input, so something like "1e10000000" is parsed fine but then explodes the memory to more than 7GB if you run e.g. Decimal.add(Decimal.parse("1e10000000"), 1) because for positive exp, the function tail-recurses with coef * 10 and exp - 1 per iteration, growing the bignum coefficient by one digit each step. In the worst case, one request is enough to OOM the BEAM.

Details

Decimal.new/parse/cast happily store huge exponents. After that, a bunch of core paths allocate proportional to exp: - add/sub/div go through add_align, which calls pow10(exp1 - exp2) and builds a giant bignum (lib/decimal.ex:1734-1738, 1827). - to_string/2 with :normal (also :xsd and the String.Chars impl) does :lists.duplicate(exp, ?0) (lib/decimal.ex:1506, 1513). - to_integer/1 recurses coef * 10, exp - 1 once per unit of exp (lib/decimal.ex:1603-1605). - round/3 does the same :lists.duplicate trick on the exp difference (lib/decimal.ex:1850, 1874). - compare/3 with a threshold argument loops back into add/sub, so it's vulnerable too (lib/decimal.ex:331-332).

PoC

Any of these will hang or OOM the BEAM:

Decimal.add(Decimal.new("1"), Decimal.new("1e1000000000"))
Decimal.to_string(Decimal.new("1e1000000000"), :normal)
Decimal.to_integer(Decimal.new("1e1000000000"))
Decimal.round(Decimal.new("1e1000000000"))

Impact

Unauthenticated remote DoS. Anything that takes a user-supplied decimal (JSON, form field, Ecto :decimal field — basically everywhere) and then does arithmetic, rounding, to_integer, or to_string on it is exposed. One request can kill the node with a Out-of-Memory exception.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "decimal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:09:20Z",
    "nvd_published_at": "2026-05-07T15:16:05Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n`decimal` doesn\u0027t bound the exponent on parsed input, so something like `\"1e10000000\"` is parsed fine but then explodes the memory to more than 7GB if you run e.g. `Decimal.add(Decimal.parse(\"1e10000000\"), 1)` because for positive `exp`, the function tail-recurses with `coef * 10` and `exp - 1` per iteration, growing the bignum coefficient by one digit each step. In the worst case, one request is enough to OOM the BEAM.\n\n### Details\n`Decimal.new/parse/cast` happily store huge exponents. After that, a bunch of core paths allocate proportional to `exp`:\n- `add/sub/div` go through `add_align`, which calls `pow10(exp1 - exp2)` and builds a giant bignum (lib/decimal.ex:1734-1738, 1827).\n- `to_string/2` with `:normal` (also `:xsd` and the `String.Chars` impl) does `:lists.duplicate(exp, ?0)` (lib/decimal.ex:1506, 1513).\n- `to_integer/1` recurses `coef * 10`, `exp - 1` once per unit of `exp` (lib/decimal.ex:1603-1605).\n- `round/3` does the same `:lists.duplicate` trick on the exp difference (lib/decimal.ex:1850, 1874).\n- `compare/3` with a threshold argument loops back into `add`/`sub`, so it\u0027s vulnerable too (lib/decimal.ex:331-332).\n\n### PoC\nAny of these will hang or OOM the BEAM:\n```elixir\nDecimal.add(Decimal.new(\"1\"), Decimal.new(\"1e1000000000\"))\nDecimal.to_string(Decimal.new(\"1e1000000000\"), :normal)\nDecimal.to_integer(Decimal.new(\"1e1000000000\"))\nDecimal.round(Decimal.new(\"1e1000000000\"))\n```\n\n### Impact\nUnauthenticated remote DoS. Anything that takes a user-supplied decimal (JSON, form field, Ecto `:decimal` field \u2014 basically everywhere) and then does arithmetic, rounding, `to_integer`, or `to_string` on it is exposed. One request can kill the node with a Out-of-Memory exception.",
  "id": "GHSA-rhv4-8758-jx7v",
  "modified": "2026-05-12T15:09:20Z",
  "published": "2026-05-12T15:09:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-32686.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericmj/decimal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericmj/decimal/releases/tag/v3.0.0"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS"
}

GHSA-RJ37-6J9X-74Q6

Vulnerability from github – Published: 2026-06-12 15:07 – Updated: 2026-06-12 15:07
VLAI
Summary
SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS
Details

Summary

The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting HTTPHeaders value before any application code runs. This can be used to exhaust memory, or — for consumers that subsequently convert headers into swift-http-types' HTTPFields — to crash the process.

Details

HTTPDecoder previously enforced only a single hardcoded parsing limit: 80 KB per individual header field (name + value). There was no cap on the cumulative size of the header block, nor on the number of header fields per message. Because each individual field can remain well below the 80 KB threshold, a peer can submit hundreds of thousands of valid headers in a single request, all of which are appended to the decoded HTTPHeaders without bound.

The headers are then visible to user code through the standard HTTPServerRequestPart.head / HTTPClientResponsePart.head events. Two observed downstream effects:

  • Hummingbird 2 (and other consumers that bridge HTTPHeaders into swift-http-types' HTTPFields) crashes via a precondition failure inside HTTPFields once the configured field count is exceeded.
  • Vapor 4 does not crash, but the per-request memory footprint scales linearly with the number of headers received, allowing a single connection to inflate server memory use substantially.

Impact

A single unauthenticated remote peer can trigger a denial of service against any HTTP/1 server (or, in the response direction, any HTTP/1 client) built on NIOHTTP1 — either by crashing the process, depending on the downstream framework, or by driving the process's resident memory to arbitrary sizes.

Patches

This issue is addressed in swift-nio 2.100.0 and later.

The HTTPDecoder now applies three parsing limits with conservative defaults, exposed through the new NIOHTTPDecoderLimitConfiguration type:

Limit Default
maxHeaderFieldSize 80 KB
maxHeaderListSize 2 MB
maxHeaderFieldCount 256

Exceeding any of these limits causes the decoder to fail with HTTPParserError.headerOverflow. The configuration can be supplied directly to HTTPRequestDecoder / HTTPResponseDecoder, or via the decoderConfiguration property on NIOUpgradableHTTPServerPipelineConfiguration and NIOUpgradableHTTPClientPipelineConfiguration.

Users who require larger limits — for example, applications that legitimately exchange very large header blocks — can opt into them explicitly by constructing a custom NIOHTTPDecoderLimitConfiguration.

Workarounds

Users unable to upgrade can mitigate by placing a reverse proxy in front of the service that enforces equivalent limits on request header count and total header size.

Credit

This issue was reported by @Joannis. SwiftNIO thanks @Joannis for the report and the support in landing the fix.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.99.0"
      },
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.100.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T15:07:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `HTTPDecoder` in `NIOHTTP1` enforces no limit on the total size of an HTTP/1 message\u0027s header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting `HTTPHeaders` value before any application code runs. This can be used to exhaust memory, or \u2014 for consumers that subsequently convert headers into `swift-http-types`\u0027 `HTTPFields` \u2014 to crash the process.\n\n### Details\n\n`HTTPDecoder` previously enforced only a single hardcoded parsing limit: 80 KB per individual header field (name + value). There was no cap on the cumulative size of the header block, nor on the number of header fields per message. Because each individual field can remain well below the 80 KB threshold, a peer can submit hundreds of thousands of valid headers in a single request, all of which are appended to the decoded `HTTPHeaders` without bound.\n\nThe headers are then visible to user code through the standard `HTTPServerRequestPart.head` / `HTTPClientResponsePart.head` events. Two observed downstream effects:\n\n  - **Hummingbird 2** (and other consumers that bridge `HTTPHeaders` into `swift-http-types`\u0027 `HTTPFields`) crashes via a precondition failure inside `HTTPFields` once the configured field count is exceeded.\n  - **Vapor 4** does not crash, but the per-request memory footprint scales linearly with the number of headers received, allowing a single connection to inflate server memory use substantially.\n  \n### Impact\n\nA single unauthenticated remote peer can trigger a denial of service against any HTTP/1 server (or, in the response direction, any HTTP/1 client) built on `NIOHTTP1` \u2014 either by crashing the process, depending on the downstream framework, or by driving the process\u0027s resident memory to arbitrary sizes.\n\n### Patches\n\nThis issue is addressed in `swift-nio` 2.100.0 and later.\n\nThe `HTTPDecoder` now applies three parsing limits with conservative defaults, exposed through the new `NIOHTTPDecoderLimitConfiguration` type:\n\n  | Limit | Default |\n  | --- | --- |\n  | `maxHeaderFieldSize` | 80 KB |\n  | `maxHeaderListSize` | 2 MB |\n  | `maxHeaderFieldCount` | 256 |\n\nExceeding any of these limits causes the decoder to fail with `HTTPParserError.headerOverflow`. The configuration can be supplied directly to `HTTPRequestDecoder` / `HTTPResponseDecoder`, or via the `decoderConfiguration` property on `NIOUpgradableHTTPServerPipelineConfiguration` and `NIOUpgradableHTTPClientPipelineConfiguration`.\n\nUsers who require larger limits \u2014 for example, applications that legitimately exchange very large header blocks \u2014 can opt into them explicitly by constructing a custom `NIOHTTPDecoderLimitConfiguration`.\n\n### Workarounds\n\nUsers unable to upgrade can mitigate by placing a reverse proxy in front of the service that enforces equivalent limits on request header count and total header size.\n\n### Credit\n\nThis issue was reported by @Joannis. SwiftNIO thanks @Joannis for the report and the support in landing the fix.",
  "id": "GHSA-rj37-6j9x-74q6",
  "modified": "2026-06-12T15:07:53Z",
  "published": "2026-06-12T15:07:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/security/advisories/GHSA-rj37-6j9x-74q6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/swift-nio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SwiftNIO NIOHTTP1:  HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS"
}

GHSA-RJ4P-7MM6-GM9J

Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2022-11-08 12:35
VLAI
Summary
JBossWS vulnerable to uncontrolled recursion
Details

DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jboss.ws:jbossws-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-1483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T12:35:06Z",
    "nvd_published_at": "2013-07-29T13:59:00Z",
    "severity": "LOW"
  },
  "details": "DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.",
  "id": "GHSA-rj4p-7mm6-gm9j",
  "modified": "2022-11-08T12:35:06Z",
  "published": "2022-05-13T01:39:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1483"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=692584"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jbossws/jbossws-common"
    },
    {
      "type": "WEB",
      "url": "http://source.jboss.org/changelog/JBossWS/?cs=13996"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "JBossWS vulnerable to uncontrolled recursion"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.