CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5423 vulnerabilities reference this CWE, most recent first.
GHSA-W28C-CGXF-W8GV
Vulnerability from github – Published: 2023-07-19 21:30 – Updated: 2024-04-04 06:17DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response
{
"affected": [],
"aliases": [
"CVE-2023-3782"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T21:15:10Z",
"severity": "MODERATE"
},
"details": "DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response\n\n",
"id": "GHSA-w28c-cgxf-w8gv",
"modified": "2024-04-04T06:17:19Z",
"published": "2023-07-19T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3782"
},
{
"type": "WEB",
"url": "https://github.com/square/okhttp/issues/7738"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/okhttp-client-brotli-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W28R-7QW2-GHQC
Vulnerability from github – Published: 2023-10-09 12:30 – Updated: 2024-04-04 08:26Mattermost fails to deduplicate input IDs allowing a simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs.
{
"affected": [],
"aliases": [
"CVE-2023-5333"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T11:15:11Z",
"severity": "MODERATE"
},
"details": "Mattermost fails to deduplicate input IDs allowing a\u00a0simple user to cause the application to consume excessive resources and possibly crash by sending a specially crafted request to /api/v4/users/ids with multiple identical IDs. \n\n",
"id": "GHSA-w28r-7qw2-ghqc",
"modified": "2024-04-04T08:26:07Z",
"published": "2023-10-09T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5333"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W2CG-VXX6-5XJG
Vulnerability from github – Published: 2026-02-18 00:52 – Updated: 2026-03-06 01:03Summary
Base64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.
Attack Scenario Notes
- Recommended deployments bind the gateway to loopback by default and require gateway auth for HTTP endpoints. In that configuration, this is best modeled as a local/authorized DoS.
- If an operator exposes the gateway to untrusted networks (or disables/weakens auth and rate limits), treat this as a higher-severity network DoS risk.
Affected Packages / Versions
- openclaw (npm): <= 2026.2.13
- clawdbot (npm): <= 2026.1.24-3
Fixed In
- openclaw (npm): 2026.2.14 (planned)
- clawdbot (npm): no patched release planned; migrate to openclaw
Fix Commit(s)
- 31791233d60495725fa012745dde8d6ee69e9595
Credits
Thanks @vincentkoc for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "clawdbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2026.1.24-3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29612"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T00:52:36Z",
"nvd_published_at": "2026-03-05T22:16:24Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nBase64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.\n\n## Attack Scenario Notes\n\n- Recommended deployments bind the gateway to loopback by default and require gateway auth for HTTP endpoints. In that configuration, this is best modeled as a local/authorized DoS.\n- If an operator exposes the gateway to untrusted networks (or disables/weakens auth and rate limits), treat this as a higher-severity network DoS risk.\n\n## Affected Packages / Versions\n\n- openclaw (npm): \u003c= 2026.2.13\n- clawdbot (npm): \u003c= 2026.1.24-3\n\n## Fixed In\n\n- openclaw (npm): 2026.2.14 (planned)\n- clawdbot (npm): no patched release planned; migrate to openclaw\n\n## Fix Commit(s)\n\n- 31791233d60495725fa012745dde8d6ee69e9595\n\n## Credits\nThanks @vincentkoc for reporting.",
"id": "GHSA-w2cg-vxx6-5xjg",
"modified": "2026-03-06T01:03:12Z",
"published": "2026-02-18T00:52:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks"
}
GHSA-W2F5-45XV-7R8H
Vulnerability from github – Published: 2025-05-15 21:31 – Updated: 2025-05-15 21:31Dell PowerScale OneFS, versions 9.4.0.0 through 9.9.0.0, contains an uncontrolled resource consumption vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2025-26481"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-15T19:15:56Z",
"severity": "HIGH"
},
"details": "Dell PowerScale OneFS, versions 9.4.0.0 through 9.9.0.0, contains an uncontrolled resource consumption vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to denial of service.",
"id": "GHSA-w2f5-45xv-7r8h",
"modified": "2025-05-15T21:31:26Z",
"published": "2025-05-15T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26481"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000256645/dsa-2024-453-security-update-for-dell-powerscale-onefs-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2FM-2CPV-W7V5
Vulnerability from github – Published: 2026-04-01 19:45 – Updated: 2026-04-06 16:46Summary
Insufficient restrictions in header/trailer handling could cause uncapped memory usage.
Impact
An application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.
Patch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.3"
},
"package": {
"ecosystem": "PyPI",
"name": "aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22815"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T19:45:17Z",
"nvd_published_at": "2026-04-01T21:16:58Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nInsufficient restrictions in header/trailer handling could cause uncapped memory usage.\n\n### Impact\n\nAn application could cause memory exhaustion when receiving an attacker controlled request or response. A vulnerable web application could mitigate these risks with a typical reverse proxy configuration.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36",
"id": "GHSA-w2fm-2cpv-w7v5",
"modified": "2026-04-06T16:46:33Z",
"published": "2026-04-01T19:45:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22815"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/commit/0c2e9da51126238a421568eb7c5b53e5b5d17b36"
},
{
"type": "PACKAGE",
"url": "https://github.com/aio-libs/aiohttp"
},
{
"type": "WEB",
"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "aiohttp allows unlimited trailer headers, leading to possible uncapped memory usage"
}
GHSA-W2GH-FR9P-56V5
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-07-13 00:00ZTE's SDON controller is impacted by the resource management error vulnerability. When RPC is frequently called by other applications in the case of mass traffic data in the system, it will result in no response for a long time and memory overflow risk. This affects: ZENIC ONE R22b versions V16.19.10P02SP002 and V16.19.10P02SP005.
{
"affected": [],
"aliases": [
"CVE-2020-6867"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-30T22:15:00Z",
"severity": "LOW"
},
"details": "ZTE\u0027s SDON controller is impacted by the resource management error vulnerability. When RPC is frequently called by other applications in the case of mass traffic data in the system, it will result in no response for a long time and memory overflow risk. This affects: ZENIC ONE R22b versions V16.19.10P02SP002 and V16.19.10P02SP005.",
"id": "GHSA-w2gh-fr9p-56v5",
"modified": "2022-07-13T00:00:52Z",
"published": "2022-05-24T17:17:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6867"
},
{
"type": "WEB",
"url": "http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1012842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2PG-HW7V-F7M9
Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-06-30 03:35A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
{
"affected": [],
"aliases": [
"CVE-2025-59465"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T21:16:04Z",
"severity": "HIGH"
},
"details": "A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:\n```\nserver.on(\u0027secureConnection\u0027, socket =\u003e {\n socket.on(\u0027error\u0027, err =\u003e {\n console.log(err)\n })\n})\n```",
"id": "GHSA-w2pg-hw7v-f7m9",
"modified": "2026-06-30T03:35:27Z",
"published": "2026-01-20T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59465"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59465.json"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431349"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-59465"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7387"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7386"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6431"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6402"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2899"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2864"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2783"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2781"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2768"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2422"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2421"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:2420"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:1842"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2QC-22JV-44G8
Vulnerability from github – Published: 2023-10-23 09:30 – Updated: 2025-02-13 18:31An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2023-43622"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T07:15:11Z",
"severity": "HIGH"
},
"details": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.",
"id": "GHSA-w2qc-22jv-44g8",
"modified": "2025-02-13T18:31:57Z",
"published": "2023-10-23T09:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43622"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231027-0011"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W2QP-8FJ2-5G53
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-14 00:03A vulnerability in the local malware analysis process of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. This vulnerability is due to insufficient error handling in the local malware analysis process of an affected device. An attacker could exploit this vulnerability by sending a crafted file through the device. A successful exploit could allow the attacker to cause the local malware analysis process to crash, which could result in a DoS condition. Notes: Manual intervention may be required to recover from this situation. Malware cloud lookup and dynamic analysis will not be impacted.
{
"affected": [],
"aliases": [
"CVE-2022-20748"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-664",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-03T04:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the local malware analysis process of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected device. This vulnerability is due to insufficient error handling in the local malware analysis process of an affected device. An attacker could exploit this vulnerability by sending a crafted file through the device. A successful exploit could allow the attacker to cause the local malware analysis process to crash, which could result in a DoS condition. Notes: Manual intervention may be required to recover from this situation. Malware cloud lookup and dynamic analysis will not be impacted.",
"id": "GHSA-w2qp-8fj2-5g53",
"modified": "2022-05-14T00:03:41Z",
"published": "2022-05-04T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20748"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-amp-local-dos-CUfwRJXT"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W2RG-V998-6982
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-05-24 17:18A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-13152"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-20T13:15:00Z",
"severity": "MODERATE"
},
"details": "A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.",
"id": "GHSA-w2rg-v998-6982",
"modified": "2022-05-24T17:18:11Z",
"published": "2022-05-24T17:18:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13152"
},
{
"type": "WEB",
"url": "https://r00texpl0it.wordpress.com/2020/05/20/kde-amarok-2-8-0-allows-remote-attackers-to-cause-a-denial-of-service"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/159898/Amarok-2.8.0-Denial-Of-Service.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.