CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-X3V3-8XG8-8V72
Vulnerability from github – Published: 2023-12-18 20:00 – Updated: 2023-12-28 22:03Impact
A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).
Applications that are using Sentry's Astro SDK are affected if:
- They're using Sentry instrumentation:
- they have manually registered Sentry Middleware (affected versions 7.78.0-7.86.0);
- or configured Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn’t disable the automatic server instrumentation (affected versions 7.82.0-7.86.0).
- They have configured routes with at least two path params (e.g.
/foo/[p1]/bar/[p2]).
Patches
The problem has been patched in @sentry/astro@7.87.0. The corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are: * disable auto instrumentation if you're using Astro 3.5.0 or newer * and remove the manually added Sentry middleware (if it was added before).
After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sentry/astro"
},
"ranges": [
{
"events": [
{
"introduced": "7.78.0"
},
{
"fixed": "7.87.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50249"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T20:00:55Z",
"nvd_published_at": "2023-12-20T14:15:21Z",
"severity": "HIGH"
},
"details": "### Impact\nA ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry\u0027s Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).\n\nApplications that are using Sentry\u0027s Astro SDK are affected if:\n\n1. They\u0027re using Sentry instrumentation:\n - they have [manually registered](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) Sentry Middleware (affected versions 7.78.0-7.86.0);\n - or [configured](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#configure-server-instrumentation) Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn\u2019t [disable the automatic server instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) (affected versions 7.82.0-7.86.0).\n2. They have configured routes with at least two path params (e.g. `/foo/[p1]/bar/[p2]`).\n\n### Patches\nThe problem has been patched in [@sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0).\nThe corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815\n\n### Workarounds\nWe strongly recommend upgrading to the latest SDK version. However, if it\u0027s not possible, the steps to mitigate the vulnerability without upgrade are:\n* [disable auto instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) if you\u0027re using Astro 3.5.0 or newer\n* and remove the manually added Sentry middleware (if it was [added](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) before).\n\nAfter these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can. \n\n### References\n* [Sentry docs: Manual Setup for Astro](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/)\n* [Release notes: sentry-javascript 7.87.0](https://github.com/getsentry/sentry-javascript/releases/tag/7.87.0)\n* [npm: @sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0)",
"id": "GHSA-x3v3-8xg8-8v72",
"modified": "2023-12-28T22:03:19Z",
"published": "2023-12-18T20:00:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50249"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/pull/9815"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"
},
{
"type": "WEB",
"url": "https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry-javascript"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@sentry/astro/v/7.87.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sentry\u0027s Astro SDK vulnerable to ReDoS"
}
GHSA-X3WF-9MWG-HM4V
Vulnerability from github – Published: 2025-10-21 21:33 – Updated: 2025-10-21 21:33Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.43, 8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
{
"affected": [],
"aliases": [
"CVE-2025-53042"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-21T20:20:41Z",
"severity": "MODERATE"
},
"details": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.43, 8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).",
"id": "GHSA-x3wf-9mwg-hm4v",
"modified": "2025-10-21T21:33:41Z",
"published": "2025-10-21T21:33:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53042"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X466-M8CX-8P3M
Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-06-22 18:34IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2026-9071"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T16:16:43Z",
"severity": "HIGH"
},
"details": "IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.",
"id": "GHSA-x466-m8cx-8p3m",
"modified": "2026-06-22T18:34:16Z",
"published": "2026-06-22T18:34:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9071"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7276579"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4HH-FRX8-98R5
Vulnerability from github – Published: 2024-02-01 20:53 – Updated: 2024-10-17 19:47Impacted Resources
bref/src/Event/Http/Psr7Bridge.php:94-125
Description
When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object.
During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in /tmp with a random filename starting with bref_upload_.
The function implementing the logic follows:
private static function parseBodyAndUploadedFiles(HttpRequestEvent $event): array
{
$bodyString = $event->getBody();
$files = [];
$parsedBody = null;
$contentType = $event->getContentType();
if ($contentType !== null && $event->getMethod() === 'POST') {
if (str_starts_with($contentType, 'application/x-www-form-urlencoded')) {
parse_str($bodyString, $parsedBody);
} else {
$document = new Part("Content-type: $contentType\r\n\r\n" . $bodyString);
if ($document->isMultiPart()) {
$parsedBody = [];
foreach ($document->getParts() as $part) {
if ($part->isFile()) {
$tmpPath = tempnam(sys_get_temp_dir(), 'bref_upload_');
if ($tmpPath === false) {
throw new RuntimeException('Unable to create a temporary directory');
}
file_put_contents($tmpPath, $part->getBody());
$file = new UploadedFile($tmpPath, filesize($tmpPath), UPLOAD_ERR_OK, $part->getFileName(), $part->getMimeType());
self::parseKeyAndInsertValueInArray($files, $part->getName(), $file);
} else {
self::parseKeyAndInsertValueInArray($parsedBody, $part->getName(), $part->getBody());
}
}
}
}
}
return [$files, $parsedBody];
}
The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed.
Impact
An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files.
The attack has the following requirements and limitations:
- The Lambda should use the Event-Driven Function runtime.
- The Lambda should use the RequestHandlerInterface handler.
- The Lambda should implement at least an endpoint accepting POST requests.
- The attacker can send requests up to 6MB long, so multiple requests are required to fill the disk (the default Lambda disk size is 512MB, therefore with less than 100 requests the disk could be filled).
PoC
- Create a new Bref project.
- Create an
index.phpfile with the following content:
<?php
namespace App;
require __DIR__ . '/vendor/autoload.php';
use Nyholm\Psr7\Response;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
class MyHttpHandler implements RequestHandlerInterface
{
public function handle(ServerRequestInterface $request): ResponseInterface
{
return new Response(200, [], exec("ls -lah /tmp/bref_upload* | wc -l"));
}
}
return new MyHttpHandler();
- Use the following
serverless.ymlto deploy the Lambda:
service: app
provider:
name: aws
region: eu-central-1
plugins:
- ./vendor/bref/bref
# Exclude files from deployment
package:
patterns:
- '!node_modules/**'
- '!tests/**'
functions:
api:
handler: index.php
runtime: php-83
events:
- httpApi: 'ANY /upload'
- Replay the following request multiple times after having replaced the
<HOST>placeholder with the deployed Lambda domain:
POST /upload HTTP/2
Host: <HOST>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb
Content-Length: 180
------WebKitFormBoundaryQqDeSZSSvmn2rfjb
Content-Disposition: form-data; name="a"; filename="a.txt"
Content-Type: text/plain
test
------WebKitFormBoundaryQqDeSZSSvmn2rfjb--
- Notice that each time the request is sent the number of the uploaded temporary files on the disk increases.
Suggested Remediation
Delete the temporary files after the request has been processed and the response have been generated.
References
- https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "bref/bref"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-24752"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-01T20:53:03Z",
"nvd_published_at": "2024-02-01T16:17:14Z",
"severity": "MODERATE"
},
"details": "## Impacted Resources\n\nbref/src/Event/Http/Psr7Bridge.php:94-125\n\n## Description\n\nWhen Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object.\nDuring the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`.\n\nThe function implementing the logic follows:\n\n```php\nprivate static function parseBodyAndUploadedFiles(HttpRequestEvent $event): array\n{\n $bodyString = $event-\u003egetBody();\n $files = [];\n $parsedBody = null;\n $contentType = $event-\u003egetContentType();\n if ($contentType !== null \u0026\u0026 $event-\u003egetMethod() === \u0027POST\u0027) {\n if (str_starts_with($contentType, \u0027application/x-www-form-urlencoded\u0027)) {\n parse_str($bodyString, $parsedBody);\n } else {\n $document = new Part(\"Content-type: $contentType\\r\\n\\r\\n\" . $bodyString);\n if ($document-\u003eisMultiPart()) {\n $parsedBody = [];\n foreach ($document-\u003egetParts() as $part) {\n if ($part-\u003eisFile()) {\n $tmpPath = tempnam(sys_get_temp_dir(), \u0027bref_upload_\u0027);\n if ($tmpPath === false) {\n throw new RuntimeException(\u0027Unable to create a temporary directory\u0027);\n }\n file_put_contents($tmpPath, $part-\u003egetBody());\n $file = new UploadedFile($tmpPath, filesize($tmpPath), UPLOAD_ERR_OK, $part-\u003egetFileName(), $part-\u003egetMimeType());\n\n self::parseKeyAndInsertValueInArray($files, $part-\u003egetName(), $file);\n } else {\n self::parseKeyAndInsertValueInArray($parsedBody, $part-\u003egetName(), $part-\u003egetBody());\n }\n }\n }\n }\n }\n return [$files, $parsedBody];\n}\n```\n\nThe flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed.\n\n## Impact\n\nAn attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files.\nThe attack has the following requirements and limitations:\n- The Lambda should use the Event-Driven Function runtime.\n- The Lambda should use the `RequestHandlerInterface` handler.\n- The Lambda should implement at least an endpoint accepting POST requests.\n- The attacker can send requests up to 6MB long, so multiple requests are required to fill the disk (the default Lambda disk size is 512MB, therefore with less than 100 requests the disk could be filled).\n\n## PoC\n\n1. Create a new Bref project.\n2. Create an `index.php` file with the following content:\n```php\n\u003c?php\n\nnamespace App;\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\nuse Nyholm\\Psr7\\Response;\nuse Psr\\Http\\Message\\ResponseInterface;\nuse Psr\\Http\\Message\\ServerRequestInterface;\nuse Psr\\Http\\Server\\RequestHandlerInterface;\n\nclass MyHttpHandler implements RequestHandlerInterface\n{\n public function handle(ServerRequestInterface $request): ResponseInterface\n {\n return new Response(200, [], exec(\"ls -lah /tmp/bref_upload* | wc -l\"));\n }\n}\n\nreturn new MyHttpHandler();\n\n```\n3. Use the following `serverless.yml` to deploy the Lambda:\n```yaml\nservice: app\n\nprovider:\n name: aws\n region: eu-central-1\n\nplugins:\n - ./vendor/bref/bref\n\n# Exclude files from deployment\npackage:\n patterns:\n - \u0027!node_modules/**\u0027\n - \u0027!tests/**\u0027\n\nfunctions:\n api:\n handler: index.php\n runtime: php-83\n events:\n - httpApi: \u0027ANY /upload\u0027\n```\n4. Replay the following request multiple times after having replaced the `\u003cHOST\u003e` placeholder with the deployed Lambda domain:\n```\nPOST /upload HTTP/2\nHost: \u003cHOST\u003e\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Length: 180\n\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb\nContent-Disposition: form-data; name=\"a\"; filename=\"a.txt\"\nContent-Type: text/plain\n\ntest\n------WebKitFormBoundaryQqDeSZSSvmn2rfjb--\n```\n5. Notice that each time the request is sent the number of the uploaded temporary files on the disk increases.\n\n## Suggested Remediation\n\nDelete the temporary files after the request has been processed and the response have been generated.\n\n## References\n\n- https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html",
"id": "GHSA-x4hh-frx8-98r5",
"modified": "2024-10-17T19:47:24Z",
"published": "2024-02-01T20:53:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24752"
},
{
"type": "WEB",
"url": "https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e"
},
{
"type": "PACKAGE",
"url": "https://github.com/brefphp/bref"
},
{
"type": "WEB",
"url": "https://github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php#L94-L125"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Bref\u0027s Uploaded Files Not Deleted in Event-Driven Functions"
}
GHSA-X4HP-Q863-HC8M
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
{
"affected": [],
"aliases": [
"CVE-2022-26498"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T05:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.",
"id": "GHSA-x4hp-q863-hc8m",
"modified": "2022-04-23T00:03:22Z",
"published": "2022-04-16T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26498"
},
{
"type": "WEB",
"url": "https://downloads.asterisk.org/pub/security"
},
{
"type": "WEB",
"url": "https://downloads.asterisk.org/pub/security/AST-2022-001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5285"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4P5-HG55-839V
Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2024-07-05 18:34Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2024-22104"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-02T15:15:11Z",
"severity": "MODERATE"
},
"details": "Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS).",
"id": "GHSA-x4p5-hg55-839v",
"modified": "2024-07-05T18:34:15Z",
"published": "2024-07-02T21:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22104"
},
{
"type": "WEB",
"url": "https://jungo.com/windriver/versions"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-04"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-001_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4VP-4235-65HG
Vulnerability from github – Published: 2026-03-03 21:18 – Updated: 2026-03-20 21:13Impact
OpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).
Affected Packages / Versions
- Package:
openclaw(npm) - Affected releases:
<= 2026.3.1 - Latest published vulnerable version at triage time:
2026.3.1(npm) - Fixed release:
2026.3.2(released)
Fix Commit(s)
d3e8b17aa6432536806b4853edc7939d891d0f25
Mitigation
Upgrade to 2026.3.2 (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32011"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:18:39Z",
"nvd_published_at": "2026-03-19T22:16:34Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nOpenClaw webhook handlers for BlueBubbles and Google Chat accepted and parsed request bodies before authentication and signature checks on vulnerable releases. This allowed unauthenticated clients to hold parser work open with slow/oversized request bodies and degrade availability (slow-request DoS).\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected releases: `\u003c= 2026.3.1`\n- Latest published vulnerable version at triage time: `2026.3.1` (npm)\n- Fixed release: `2026.3.2` (released)\n\n## Fix Commit(s)\n\n- `d3e8b17aa6432536806b4853edc7939d891d0f25`\n\n## Mitigation\n\nUpgrade to `2026.3.2` (or newer). The fix enforces auth-before-body for affected webhook paths, adds strict pre-auth body/time budgets, and introduces shared in-flight/request guardrails with regression coverage.",
"id": "GHSA-x4vp-4235-65hg",
"modified": "2026-03-20T21:13:02Z",
"published": "2026-03-03T21:18:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32011"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has pre-auth webhook body parsing that can enable unauthenticated slow-request DoS"
}
GHSA-X56G-74Q4-X3XC
Vulnerability from github – Published: 2021-12-14 00:00 – Updated: 2022-07-13 00:01An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.
{
"affected": [],
"aliases": [
"CVE-2021-39932"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-13T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes.",
"id": "GHSA-x56g-74q4-x3xc",
"modified": "2022-07-13T00:01:38Z",
"published": "2021-12-14T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39932"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39932.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/217360"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X586-4JJM-7HC5
Vulnerability from github – Published: 2024-07-31 00:30 – Updated: 2024-07-31 00:30An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint.
{
"affected": [],
"aliases": [
"CVE-2024-37281"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T22:15:01Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint.",
"id": "GHSA-x586-4jjm-7hc5",
"modified": "2024-07-31T00:30:42Z",
"published": "2024-07-31T00:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37281"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/kibana-7-17-23-8-14-0-security-update-esa-2024-16/364094"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5GF-QVW8-R2RM
Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2026-05-20 02:06A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pm2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5891"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-10T22:52:17Z",
"nvd_published_at": "2025-06-09T19:15:25Z",
"severity": "LOW"
},
"details": "A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-x5gf-qvw8-r2rm",
"modified": "2026-05-20T02:06:26Z",
"published": "2025-06-09T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5891"
},
{
"type": "WEB",
"url": "https://github.com/Unitech/pm2/issues/6075"
},
{
"type": "WEB",
"url": "https://github.com/Unitech/pm2/pull/5971"
},
{
"type": "WEB",
"url": "https://github.com/Unitech/pm2/commit/8b9354800a1d157cb9503a3ec414ef1e4700dc1c"
},
{
"type": "WEB",
"url": "https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385"
},
{
"type": "PACKAGE",
"url": "https://github.com/Unitech/pm2"
},
{
"type": "WEB",
"url": "https://github.com/Unitech/pm2/blob/ba62cae9b9b7116ee758b70f538919a52515fa26/CHANGELOG.md?plain=1#L36"
},
{
"type": "WEB",
"url": "https://github.com/Unitech/pm2/releases/tag/v7.0.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.311662"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.311662"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.585750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "pm2 Regular Expression Denial of Service vulnerability"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.