Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5435 vulnerabilities reference this CWE, most recent first.

GHSA-RMX6-5P52-GPQ2

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28
VLAI
Details

Cisco Adaptive Security Appliance (ASA) Software 8.4(.6) and earlier, when using an unsupported configuration with overlapping criteria for filtering and inspection, allows remote attackers to cause a denial of service (traffic loop and device crash) via a packet that triggers multiple matches, aka Bug ID CSCui45606.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-5567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-07-14T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Cisco Adaptive Security Appliance (ASA) Software 8.4(.6) and earlier, when using an unsupported configuration with overlapping criteria for filtering and inspection, allows remote attackers to cause a denial of service (traffic loop and device crash) via a packet that triggers multiple matches, aka Bug ID CSCui45606.",
  "id": "GHSA-rmx6-5p52-gpq2",
  "modified": "2022-05-13T01:28:47Z",
  "published": "2022-05-13T01:28:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5567"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/94445"
    },
    {
      "type": "WEB",
      "url": "http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-5567"
    },
    {
      "type": "WEB",
      "url": "http://tools.cisco.com/security/center/viewAlert.x?alertId=34911"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/68504"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1030555"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RP42-5VXX-QPWR

Vulnerability from github – Published: 2026-04-16 21:37 – Updated: 2026-04-24 21:02
VLAI
Summary
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
Details

Summary

basic-ftp@5.2.2 is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to Client.list(), causing the client process to consume memory until it becomes unstable or crashes.

Details

The issue is in the package's default directory listing flow.

Client.list() reaches dist/Client.js, where the full listing response is downloaded into a StringWriter before parsing:

File: dist/Client.js:516-527

async _requestListWithCommand(command) {
    const buffer = new StringWriter_1.StringWriter();
    await (0, transfer_1.downloadTo)(buffer, {
        ftp: this.ftp,
        tracker: this._progressTracker,
        command,
        remotePath: "",
        type: "list"
    });
    const text = buffer.getText(this.ftp.encoding);
    this.ftp.log(text);
    return this.parseList(text);
}

The vulnerable sink is StringWriter, which grows an in-memory Buffer with no limit:

File: dist/StringWriter.js:5-20

class StringWriter extends stream_1.Writable {
    constructor() {
        super(...arguments);
        this.buf = Buffer.alloc(0);
    }
    _write(chunk, _, callback) {
        if (chunk instanceof Buffer) {
            this.buf = Buffer.concat([this.buf, chunk]);
            callback(null);
        }
        else {
            callback(new Error("StringWriter expects chunks of type 'Buffer'."));
        }
    }
    getText(encoding) {
        return this.buf.toString(encoding);
    }
}

The critical operation is:

this.buf = Buffer.concat([this.buf, chunk]);

There is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.

How it happens:

  1. An application connects to an attacker-controlled or compromised FTP server.
  2. The application calls client.list().
  3. The server returns an extremely large or unbounded directory listing.
  4. basic-ftp buffers the full response in StringWriter.
  5. Memory grows without bound due to repeated Buffer.concat(...) calls.

PoC

The following PoC exercises the vulnerable buffering primitive directly:

const { StringWriter } = require("basic-ftp/dist/StringWriter.js");

function mb(n) {
  return Math.round(n / 1024 / 1024) + "MB";
}

const writer = new StringWriter();
let wrote = 0;

for (let i = 0; i < 32; i++) {
  const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);
  writer.write(chunk);
  wrote += chunk.length;

  if ((i + 1) % 8 === 0) {
    const m = process.memoryUsage();
    console.log("written", mb(wrote), "rss", mb(m.rss), "heap", mb(m.heapUsed), "buf", mb(m.arrayBuffers));
  }
}

console.log("final text len", writer.getText("utf8").length);

Observed output:

written 32MB rss 116MB heap 4MB buf 64MB
written 64MB rss 296MB heap 4MB buf 240MB
written 96MB rss 340MB heap 3MB buf 284MB
written 128MB rss 436MB heap 3MB buf 376MB
final text len 134217728

This demonstrates sustained memory growth in the same code path used to buffer directory listing data.

Supporting files saved alongside this report:

  • poc.js
  • poc_output.txt

Impact

This is a denial-of-service vulnerability affecting applications that use basic-ftp to list directories from remote FTP servers.

  • Vulnerability class: Memory exhaustion / Denial of Service
  • Attack precondition: The victim connects to a malicious or compromised FTP server and performs Client.list()
  • Impacted users: Any application or service using basic-ftp@5.2.2 against untrusted FTP endpoints
  • Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination

Recommended remediation:

  1. Enforce a maximum listing size.
  2. Abort transfers that exceed the configured limit.
  3. Prefer incremental or streaming parsing over full-response buffering.

Example defensive check:

if (this.buf.length + chunk.length > MAX_LISTING_BYTES) {
    callback(new Error("FTP listing exceeds maximum allowed size."));
    return;
}
this.buf = Buffer.concat([this.buf, chunk]);
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "basic-ftp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:37:48Z",
    "nvd_published_at": "2026-04-24T04:16:20Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`basic-ftp@5.2.2` is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process to consume memory until it becomes unstable or crashes.\n\n### Details\nThe issue is in the package\u0027s default directory listing flow.\n\n`Client.list()` reaches `dist/Client.js`, where the full listing response is downloaded into a `StringWriter` before parsing:\n\nFile: `dist/Client.js:516-527`\n\n```js\nasync _requestListWithCommand(command) {\n    const buffer = new StringWriter_1.StringWriter();\n    await (0, transfer_1.downloadTo)(buffer, {\n        ftp: this.ftp,\n        tracker: this._progressTracker,\n        command,\n        remotePath: \"\",\n        type: \"list\"\n    });\n    const text = buffer.getText(this.ftp.encoding);\n    this.ftp.log(text);\n    return this.parseList(text);\n}\n```\n\nThe vulnerable sink is `StringWriter`, which grows an in-memory `Buffer` with no limit:\n\nFile: `dist/StringWriter.js:5-20`\n\n```js\nclass StringWriter extends stream_1.Writable {\n    constructor() {\n        super(...arguments);\n        this.buf = Buffer.alloc(0);\n    }\n    _write(chunk, _, callback) {\n        if (chunk instanceof Buffer) {\n            this.buf = Buffer.concat([this.buf, chunk]);\n            callback(null);\n        }\n        else {\n            callback(new Error(\"StringWriter expects chunks of type \u0027Buffer\u0027.\"));\n        }\n    }\n    getText(encoding) {\n        return this.buf.toString(encoding);\n    }\n}\n```\n\nThe critical operation is:\n\n```js\nthis.buf = Buffer.concat([this.buf, chunk]);\n```\n\nThere is no maximum size check, no truncation, and no streaming parser. Because the remote FTP server controls the listing response, it can force the client to keep allocating memory until the process is terminated.\n\nHow it happens:\n\n1. An application connects to an attacker-controlled or compromised FTP server.\n2. The application calls `client.list()`.\n3. The server returns an extremely large or unbounded directory listing.\n4. `basic-ftp` buffers the full response in `StringWriter`.\n5. Memory grows without bound due to repeated `Buffer.concat(...)` calls.\n\n### PoC\nThe following PoC exercises the vulnerable buffering primitive directly:\n\n```js\nconst { StringWriter } = require(\"basic-ftp/dist/StringWriter.js\");\n\nfunction mb(n) {\n  return Math.round(n / 1024 / 1024) + \"MB\";\n}\n\nconst writer = new StringWriter();\nlet wrote = 0;\n\nfor (let i = 0; i \u003c 32; i++) {\n  const chunk = Buffer.alloc(4 * 1024 * 1024, 0x41);\n  writer.write(chunk);\n  wrote += chunk.length;\n\n  if ((i + 1) % 8 === 0) {\n    const m = process.memoryUsage();\n    console.log(\"written\", mb(wrote), \"rss\", mb(m.rss), \"heap\", mb(m.heapUsed), \"buf\", mb(m.arrayBuffers));\n  }\n}\n\nconsole.log(\"final text len\", writer.getText(\"utf8\").length);\n```\n\nObserved output:\n\n```text\nwritten 32MB rss 116MB heap 4MB buf 64MB\nwritten 64MB rss 296MB heap 4MB buf 240MB\nwritten 96MB rss 340MB heap 3MB buf 284MB\nwritten 128MB rss 436MB heap 3MB buf 376MB\nfinal text len 134217728\n```\n\nThis demonstrates sustained memory growth in the same code path used to buffer directory listing data.\n\nSupporting files saved alongside this report:\n\n- `poc.js`\n- `poc_output.txt`\n\n### Impact\nThis is a denial-of-service vulnerability affecting applications that use `basic-ftp` to list directories from remote FTP servers.\n\n- Vulnerability class: Memory exhaustion / Denial of Service\n- Attack precondition: The victim connects to a malicious or compromised FTP server and performs `Client.list()`\n- Impacted users: Any application or service using `basic-ftp@5.2.2` against untrusted FTP endpoints\n- Security effect: The attacker can cause excessive memory consumption, process instability, and potential process termination\n\nRecommended remediation:\n\n1. Enforce a maximum listing size.\n2. Abort transfers that exceed the configured limit.\n3. Prefer incremental or streaming parsing over full-response buffering.\n\nExample defensive check:\n\n```js\nif (this.buf.length + chunk.length \u003e MAX_LISTING_BYTES) {\n    callback(new Error(\"FTP listing exceeds maximum allowed size.\"));\n    return;\n}\nthis.buf = Buffer.concat([this.buf, chunk]);\n```",
  "id": "GHSA-rp42-5vxx-qpwr",
  "modified": "2026-04-24T21:02:13Z",
  "published": "2026-04-16T21:37:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rp42-5vxx-qpwr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41324"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickjuchli/basic-ftp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()"
}

GHSA-RP44-9RCV-J4MV

Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-17 15:30
VLAI
Details

Uncontrolled resource consumption in the Intel(R) Support Android application before version 22.02.28 may allow an authenticated user to potentially enable denial of service via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-11T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled resource consumption in the Intel(R) Support Android application before version 22.02.28 may allow an authenticated user to potentially enable denial of service via local access.",
  "id": "GHSA-rp44-9rcv-j4mv",
  "modified": "2022-11-17T15:30:21Z",
  "published": "2022-11-11T19:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30691"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00740.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RP5X-RJ69-R36X

Vulnerability from github – Published: 2024-06-10 21:30 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improvements to the file handling protocol. This issue is fixed in visionOS 1.2. Processing web content may lead to a denial-of-service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-10T21:15:50Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improvements to the file handling protocol. This issue is fixed in visionOS 1.2. Processing web content may lead to a denial-of-service.",
  "id": "GHSA-rp5x-rj69-r36x",
  "modified": "2026-04-02T21:31:45Z",
  "published": "2024-06-10T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27812"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120906"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214108"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214108"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jun/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RP64-MPMJ-44XF

Vulnerability from github – Published: 2023-06-19 18:30 – Updated: 2024-04-04 04:57
VLAI
Details

Vulnerability of system restart triggered by abnormal callbacks passed to APIs.Successful exploitation of this vulnerability may cause the system to restart.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-19T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of system restart triggered by abnormal callbacks passed to APIs.Successful exploitation of this vulnerability may cause the system to restart.",
  "id": "GHSA-rp64-mpmj-44xf",
  "modified": "2024-04-04T04:57:55Z",
  "published": "2023-06-19T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34166"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RP66-WCX8-J4PJ

Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32
VLAI
Details

Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T13:16:44Z",
    "severity": "HIGH"
  },
  "details": "Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table\u0027s Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service.",
  "id": "GHSA-rp66-wcx8-j4pj",
  "modified": "2026-06-23T15:32:36Z",
  "published": "2026-06-23T15:32:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-5vgv-rqj5-5748"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56248"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/capgo-unauthenticated-denial-of-service-via-audit-logs-rls-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RPCC-P8XM-RC6P

Vulnerability from github – Published: 2024-08-02 21:31 – Updated: 2024-12-27 18:30
VLAI
Summary
Podman vulnerable to memory-based denial of service
Details

A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as podman run --restart=always, this can result in a memory-based denial of service of the system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-3056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-05T17:28:04Z",
    "nvd_published_at": "2024-08-02T21:16:30Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container\u0027s cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.",
  "id": "GHSA-rpcc-p8xm-rc6p",
  "modified": "2024-12-27T18:30:26Z",
  "published": "2024-08-02T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3056"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-3056"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270717"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/podman"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3042"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241227-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Podman vulnerable to memory-based denial of service"
}

GHSA-RPF3-74P4-XXXJ

Vulnerability from github – Published: 2023-01-11 18:30 – Updated: 2023-01-18 18:30
VLAI
Details

IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.1 could allow an authenticated user to exhaust server resources which could lead to a denial of service. IBM X-Force ID: 229705.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-11T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.1 could allow an authenticated user to exhaust server resources which could lead to a denial of service. IBM X-Force ID: 229705.",
  "id": "GHSA-rpf3-74p4-xxxj",
  "modified": "2023-01-18T18:30:16Z",
  "published": "2023-01-11T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34335"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/229705"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6854331"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPMF-866Q-6P89

Vulnerability from github – Published: 2026-05-06 19:37 – Updated: 2026-05-13 16:29
VLAI
Summary
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
Details

Summary

basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses.

A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into FtpContext._partialResponse and repeatedly reparses the accumulated buffer without enforcing a maximum control response size.

As a result, an application using basic-ftp can remain stuck in connect() while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints.


Details

Root cause

The root cause is that incomplete FTP multiline control responses are buffered without an upper bound.

FtpContext stores incomplete control-channel data in _partialResponse:

https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L63-L64

Incoming control-channel data is handled in _onControlSocketData. The implementation concatenates the previous incomplete response with the new chunk, parses the entire accumulated string, and stores parsed.rest back into _partialResponse:

https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L328-L340

The relevant flow is:

completeResponse = this._partialResponse + chunk parsed = parseControlResponse(completeResponse) this._partialResponse = parsed.rest

There is no maximum size check before concatenating, before parsing, or before storing parsed.rest.

The parser accepts incomplete multiline responses and returns the entire unterminated multiline group as rest:

https://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/parseControlResponse.ts#L15-L43

If a server starts a multiline FTP response:

220-malicious banner starts

but never sends the terminating line:

220 ready

then parseControlResponse() treats the accumulated multiline data as incomplete and returns it as rest.

Because _onControlSocketData() feeds _partialResponse + chunk back into the parser on every new data event, the client repeatedly reparses a growing attacker-controlled buffer. This creates both memory growth and increasing parsing work.

Why this is security-relevant

The vulnerable component is a client library. The attacker does not need to authenticate to the victim system and does not need valid FTP credentials.

The attack occurs automatically when an application using basic-ftp connects to a malicious or compromised FTP server. The malicious response is sent as the FTP server banner before login. No additional user interaction is required after the application initiates a normal FTP connection.

This is realistic for applications that use FTP for:

  • scheduled imports or exports
  • customer-provided FTP endpoints
  • backup or synchronization jobs
  • CI/CD artifact mirroring
  • document ingestion pipelines
  • legacy business integrations

In those environments, one malicious or compromised FTP endpoint can cause the Node.js process using basic-ftp to consume excessive memory and CPU or remain stuck in a pending connection state.


Proof of Concept

The PoC uses a local malicious FTP server that accepts a victim connection and sends an unterminated multiline FTP banner. The banner starts with 220-, but the server never sends the required terminating 220 line.

Reproduction steps

From the root of the basic-ftp project:

npm ci
npm run buildOnly

poc_control_parser_direct.js

CHUNKS=1000 node poc_control_parser_direct.js | tee poc-results/parser_direct_1000.log

parser_direct_1000.log

Run the end-to-end malicious FTP server PoC:

poc_control_multiline_dos.js

CHUNK_SIZE=8192 CHUNKS=1000 DELAY_MS=1 node poc_control_multiline_dos.js | tee poc-results/control_multiline_dos_1000.log

control_multiline_dos_1000.log

Observed result: parser-only PoC

[basic-ftp parseControlResponse incomplete multiline DoS]
Input fed: 7.81 MiB
Retained rest: 7.81 MiB
Initial rss/heap: 54.77 MiB 3.69 MiB
Final   rss/heap: 141.64 MiB 80.77 MiB

This shows that parseControlResponse() retained the full unterminated multiline response as rest.

The retained buffer grew to 7.81 MiB. Heap usage increased from 3.69 MiB to 80.77 MiB, and RSS increased from 54.77 MiB to 141.64 MiB.

Observed result: end-to-end malicious FTP server PoC

[server] listening on 127.0.0.1:34429
[server] victim connected
[progress] chunks=850 sent=6.6 MiB partialResponse=6.6 MiB heapUsed=227.5 MiB rss=292.4 MiB
[progress] chunks=900 sent=7.0 MiB partialResponse=7.0 MiB heapUsed=213.1 MiB rss=278.0 MiB
[final-before-close] chunks=1000 sent=7.8 MiB partialResponse=7.8 MiB heapUsed=82.1 MiB rss=146.8 MiB
[result] client connect() is still pending because the multiline response never terminated

Only 7.8 MiB of malicious control-channel data was sent. The client retained 7.8 MiB in _partialResponse, showed large memory spikes, and remained pending inside connect() because the multiline response was never terminated.


Expected behavior

The client should enforce a maximum size for incomplete FTP control responses. If the accumulated multiline response exceeds a safe limit, the client should close the connection and reject the active task with an error.

The client should not allow a remote FTP server to make _partialResponse grow without bound.


Actual behavior

A malicious FTP server can keep the client in a pending connection state by sending an unterminated multiline control response. basic-ftp continues buffering and reparsing the accumulated data without a maximum response size.


Impact

A malicious or compromised FTP server can cause denial of service in applications using basic-ftp.

Possible real-world impact includes:

  • Node.js process memory exhaustion
  • container OOM kill
  • worker crash or restart loop
  • event loop CPU pressure due to repeated reparsing
  • stuck FTP jobs
  • queue backlog in scheduled import/export systems
  • degraded availability of services relying on automated FTP ingestion

Threat model

The attacker controls, compromises, or can impersonate an FTP server that a victim application connects to.

Examples:

  1. A SaaS application allows customers to configure external FTP endpoints for automated imports.
  2. A backend job periodically pulls files from partner FTP servers.
  3. A document ingestion pipeline connects to FTP endpoints supplied by external users.
  4. A legacy integration uses FTP for scheduled synchronization.
  5. A build or deployment pipeline mirrors artifacts from an FTP server.

In each case, the victim application initiates a normal FTP connection. The malicious server sends an unterminated multiline banner before authentication. The vulnerable client then buffers and reparses the response indefinitely.

No FTP credentials are required for exploitation because the attack happens before login.


Suggested fix

Introduce a maximum control response buffer size, especially for incomplete multiline responses.

Recommended changes:

  • Add a maxControlResponseBytes or maxControlResponseLength limit.
  • Enforce the limit before or immediately after appending new control-channel data.
  • Close the connection and reject the active task when the limit is exceeded.
  • Add regression tests for unterminated multiline responses.

Example defensive logic:

if (completeResponse.length > maxControlResponseLength) {
    closeWithError(new Error("FTP control response exceeded maximum allowed size"))
}

A regression test should verify that a response beginning with 220- and never terminating with 220 is rejected after the configured size limit instead of being retained indefinitely.


Suggested regression test scenario

A test server should:

  1. Accept a client connection.
  2. Send an FTP multiline response opener such as 220-malicious banner\r\n.
  3. Continue sending additional lines without ever sending the terminating 220 line.
  4. Verify that the client rejects the connection once the configured response-size limit is exceeded.
  5. Verify that _partialResponse does not grow without bound.

Credit request

If you publish an advisory or assign a CVE, please credit me as:

Ali Firas (thesmartshadow) - https://www.smartshadow.dev

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.3.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "basic-ftp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:37:33Z",
    "nvd_published_at": "2026-05-12T21:16:16Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`basic-ftp` is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses.\n\nA malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attacker-controlled data into `FtpContext._partialResponse` and repeatedly reparses the accumulated buffer without enforcing a maximum control response size.\n\nAs a result, an application using `basic-ftp` can remain stuck in `connect()` while memory and CPU usage grow under attacker-controlled input. This can lead to process-level denial of service, container OOM kills, worker restarts, queue backlog, or service degradation in applications that automatically connect to FTP endpoints.\n\n---\n\n## Details\n\n### Root cause\n\nThe root cause is that incomplete FTP multiline control responses are buffered without an upper bound.\n\n`FtpContext` stores incomplete control-channel data in `_partialResponse`:\n\n\nhttps://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L63-L64\n\n\nIncoming control-channel data is handled in `_onControlSocketData`. The implementation concatenates the previous incomplete response with the new chunk, parses the entire accumulated string, and stores `parsed.rest` back into `_partialResponse`:\n\n\nhttps://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/FtpContext.ts#L328-L340\n\n\nThe relevant flow is:\n\n\ncompleteResponse = this._partialResponse + chunk\nparsed = parseControlResponse(completeResponse)\nthis._partialResponse = parsed.rest\n\n\nThere is no maximum size check before concatenating, before parsing, or before storing `parsed.rest`.\n\nThe parser accepts incomplete multiline responses and returns the entire unterminated multiline group as `rest`:\n\n\nhttps://github.com/patrickjuchli/basic-ftp/blob/50827c73ca6c1d786c97276e47be8a33d0f2277d/src/parseControlResponse.ts#L15-L43\n\n\nIf a server starts a multiline FTP response:\n\n\n220-malicious banner starts\n\n\nbut never sends the terminating line:\n\n\n220 ready\n\n\nthen `parseControlResponse()` treats the accumulated multiline data as incomplete and returns it as `rest`.\n\nBecause `_onControlSocketData()` feeds `_partialResponse + chunk` back into the parser on every new data event, the client repeatedly reparses a growing attacker-controlled buffer. This creates both memory growth and increasing parsing work.\n\n### Why this is security-relevant\n\nThe vulnerable component is a client library. The attacker does not need to authenticate to the victim system and does not need valid FTP credentials.\n\nThe attack occurs automatically when an application using `basic-ftp` connects to a malicious or compromised FTP server. The malicious response is sent as the FTP server banner before login. No additional user interaction is required after the application initiates a normal FTP connection.\n\nThis is realistic for applications that use FTP for:\n\n- scheduled imports or exports\n- customer-provided FTP endpoints\n- backup or synchronization jobs\n- CI/CD artifact mirroring\n- document ingestion pipelines\n- legacy business integrations\n\nIn those environments, one malicious or compromised FTP endpoint can cause the Node.js process using `basic-ftp` to consume excessive memory and CPU or remain stuck in a pending connection state.\n\n---\n\n## Proof of Concept\n\nThe PoC uses a local malicious FTP server that accepts a victim connection and sends an unterminated multiline FTP banner. The banner starts with `220-`, but the server never sends the required terminating `220 ` line.\n\n### Reproduction steps\n\nFrom the root of the `basic-ftp` project:\n\n```bash\nnpm ci\nnpm run buildOnly\n```\n\n[poc_control_parser_direct.js](https://github.com/user-attachments/files/27051425/poc_control_parser_direct.js)\n\n```bash\nCHUNKS=1000 node poc_control_parser_direct.js | tee poc-results/parser_direct_1000.log\n```\n\n[parser_direct_1000.log](https://github.com/user-attachments/files/27051430/parser_direct_1000.log)\n\nRun the end-to-end malicious FTP server PoC:\n\n[poc_control_multiline_dos.js](https://github.com/user-attachments/files/27051385/poc_control_multiline_dos.js)\n\n```bash\nCHUNK_SIZE=8192 CHUNKS=1000 DELAY_MS=1 node poc_control_multiline_dos.js | tee poc-results/control_multiline_dos_1000.log\n```\n\n[control_multiline_dos_1000.log](https://github.com/user-attachments/files/27051397/control_multiline_dos_1000.log)\n\n### Observed result: parser-only PoC\n\n```text\n[basic-ftp parseControlResponse incomplete multiline DoS]\nInput fed: 7.81 MiB\nRetained rest: 7.81 MiB\nInitial rss/heap: 54.77 MiB 3.69 MiB\nFinal   rss/heap: 141.64 MiB 80.77 MiB\n```\n\nThis shows that `parseControlResponse()` retained the full unterminated multiline response as `rest`.\n\nThe retained buffer grew to `7.81 MiB`. Heap usage increased from `3.69 MiB` to `80.77 MiB`, and RSS increased from `54.77 MiB` to `141.64 MiB`.\n\n### Observed result: end-to-end malicious FTP server PoC\n\n```text\n[server] listening on 127.0.0.1:34429\n[server] victim connected\n[progress] chunks=850 sent=6.6 MiB partialResponse=6.6 MiB heapUsed=227.5 MiB rss=292.4 MiB\n[progress] chunks=900 sent=7.0 MiB partialResponse=7.0 MiB heapUsed=213.1 MiB rss=278.0 MiB\n[final-before-close] chunks=1000 sent=7.8 MiB partialResponse=7.8 MiB heapUsed=82.1 MiB rss=146.8 MiB\n[result] client connect() is still pending because the multiline response never terminated\n```\n\nOnly `7.8 MiB` of malicious control-channel data was sent. The client retained `7.8 MiB` in `_partialResponse`, showed large memory spikes, and remained pending inside `connect()` because the multiline response was never terminated.\n\n---\n\n## Expected behavior\n\nThe client should enforce a maximum size for incomplete FTP control responses. If the accumulated multiline response exceeds a safe limit, the client should close the connection and reject the active task with an error.\n\nThe client should not allow a remote FTP server to make `_partialResponse` grow without bound.\n\n---\n\n## Actual behavior\n\nA malicious FTP server can keep the client in a pending connection state by sending an unterminated multiline control response. `basic-ftp` continues buffering and reparsing the accumulated data without a maximum response size.\n\n---\n\n## Impact\n\nA malicious or compromised FTP server can cause denial of service in applications using `basic-ftp`.\n\nPossible real-world impact includes:\n\n- Node.js process memory exhaustion\n- container OOM kill\n- worker crash or restart loop\n- event loop CPU pressure due to repeated reparsing\n- stuck FTP jobs\n- queue backlog in scheduled import/export systems\n- degraded availability of services relying on automated FTP ingestion\n\n---\n\n## Threat model\n\nThe attacker controls, compromises, or can impersonate an FTP server that a victim application connects to.\n\nExamples:\n\n1. A SaaS application allows customers to configure external FTP endpoints for automated imports.\n2. A backend job periodically pulls files from partner FTP servers.\n3. A document ingestion pipeline connects to FTP endpoints supplied by external users.\n4. A legacy integration uses FTP for scheduled synchronization.\n5. A build or deployment pipeline mirrors artifacts from an FTP server.\n\nIn each case, the victim application initiates a normal FTP connection. The malicious server sends an unterminated multiline banner before authentication. The vulnerable client then buffers and reparses the response indefinitely.\n\nNo FTP credentials are required for exploitation because the attack happens before login.\n\n---\n\n## Suggested fix\n\nIntroduce a maximum control response buffer size, especially for incomplete multiline responses.\n\nRecommended changes:\n\n- Add a `maxControlResponseBytes` or `maxControlResponseLength` limit.\n- Enforce the limit before or immediately after appending new control-channel data.\n- Close the connection and reject the active task when the limit is exceeded.\n- Add regression tests for unterminated multiline responses.\n\nExample defensive logic:\n\n```text\nif (completeResponse.length \u003e maxControlResponseLength) {\n    closeWithError(new Error(\"FTP control response exceeded maximum allowed size\"))\n}\n```\n\nA regression test should verify that a response beginning with `220-` and never terminating with `220 ` is rejected after the configured size limit instead of being retained indefinitely.\n\n---\n\n## Suggested regression test scenario\n\nA test server should:\n\n1. Accept a client connection.\n2. Send an FTP multiline response opener such as `220-malicious banner\\r\\n`.\n3. Continue sending additional lines without ever sending the terminating `220 ` line.\n4. Verify that the client rejects the connection once the configured response-size limit is exceeded.\n5. Verify that `_partialResponse` does not grow without bound.\n\n## Credit request\nIf you publish an advisory or assign a CVE, please credit me as:\n\nAli Firas (thesmartshadow)  - https://www.smartshadow.dev",
  "id": "GHSA-rpmf-866q-6p89",
  "modified": "2026-05-13T16:29:59Z",
  "published": "2026-05-06T19:37:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44240"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickjuchli/basic-ftp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering"
}

GHSA-RPP2-QJHG-737G

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2025-04-11 03:42
VLAI
Details

The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-03T20:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel before 2.6.37-rc7 allows local users to cause a denial of service (panic) via a zero-length I/O request in a device ioctl to a SCSI device, related to an unaligned map.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4163.",
  "id": "GHSA-rpp2-qjhg-737g",
  "modified": "2025-04-11T03:42:39Z",
  "published": "2022-05-13T01:23:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4668"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64496"
    },
    {
      "type": "WEB",
      "url": "https://patchwork.kernel.org/patch/363282"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=5478755616ae2ef1ce144dded589b62b2a50d575"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5478755616ae2ef1ce144dded589b62b2a50d575"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/11/29/68"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/11/29/70"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/29/1"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/30/4"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/30/7"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42890"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc7"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0007.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/45660"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.