Common Weakness Enumeration

CWE-834

Discouraged

Excessive Iteration

Abstraction: Class · Status: Incomplete

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

124 vulnerabilities reference this CWE, most recent first.

GHSA-MJ87-HWQH-73PJ

Vulnerability from github – Published: 2026-04-15 19:45 – Updated: 2026-04-24 20:51
VLAI
Summary
python-multipart affected by Denial of Service via large multipart preamble or epilogue data
Details

Summary

A denial of service vulnerability exists when parsing crafted multipart/form-data requests with large preamble or epilogue sections.

Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.

Impact

An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.

Mitigation

Upgrade to version 0.0.26 or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-multipart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-834"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-15T19:45:44Z",
    "nvd_published_at": "2026-04-18T00:16:38Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.\n\n### Details\n\nTwo inefficient multipart parsing paths could be abused with attacker-controlled input.\n\nBefore the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary.\n\n### Impact\n\nAn attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application.\n\n### Mitigation\n\nUpgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.",
  "id": "GHSA-mj87-hwqh-73pj",
  "modified": "2026-04-24T20:51:11Z",
  "published": "2026-04-15T19:45:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-mj87-hwqh-73pj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40347"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kludex/python-multipart"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/python-multipart/releases/tag/0.0.26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-multipart affected by Denial of Service via large multipart preamble or epilogue data"
}

GHSA-P3VC-36G9-X9GR

Vulnerability from github – Published: 2026-06-15 16:52 – Updated: 2026-06-15 16:52
VLAI
Summary
@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
Details

A Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits.

When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.

Impact

Successful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):

  • Server-Side Rendering (SSR): In applications using SSR (e.g., @angular/ssr), an attacker can crash the Node.js server process due to a JavaScript heap out of memory error. This affects the availability of the application for all users.
  • Client-Side Rendering (CSR): In standard client-side applications, the unbounded loop will block the main thread, freezing the user's browser tab and making it unresponsive.

Attack Preconditions

For this vulnerability to be exploitable, the following conditions must be met:

  1. Vulnerable Component Usage: The application must use Angular's number formatting utilities, such as the formatNumber function directly, or via template pipes (DecimalPipe, PercentPipe, CurrencyPipe).
  2. Attacker-Controlled Parameter: The digitsInfo parameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). If digitsInfo is trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.

Patches

  • 22.0.0-rc.2
  • 21.2.15
  • 20.3.22
  • 19.2.23

Credits

This vulnerability was discovered and reported by CodeMender from Google DeepMind.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-rc.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0-next.0"
            },
            {
              "fixed": "19.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "18.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-834"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T16:52:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of Angular. The `formatNumber` function, which is also utilized by `DecimalPipe`, `PercentPipe`, and `CurrencyPipe`, does not properly validate the upper bounds of the `digitsInfo` parameter. Specifically, the minimum and maximum fraction digits parsed from the `digitsInfo` string (e.g., `1.2-4`) are converted to integers and used without limits.\n\nWhen parsing a maliciously crafted `digitsInfo` string with excessively large fraction digit values (e.g., `1.200000000-200000000`), the internal `roundNumber` function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.\n\n### Impact\n\nSuccessful exploitation of this vulnerability allows an attacker to trigger resource exhaustion, leading to a Denial of Service (DoS):\n\n* **Server-Side Rendering (SSR):** In applications using SSR (e.g., `@angular/ssr`), an attacker can crash the Node.js server process due to a `JavaScript heap out of memory` error. This affects the availability of the application for all users.  \n* **Client-Side Rendering (CSR):** In standard client-side applications, the unbounded loop will block the main thread, freezing the user\u0027s browser tab and making it unresponsive.\n\n### Attack Preconditions\n\nFor this vulnerability to be exploitable, the following conditions must be met:\n\n1. **Vulnerable Component Usage:** The application must use Angular\u0027s number formatting utilities, such as the `formatNumber` function directly, or via template pipes (`DecimalPipe`, `PercentPipe`, `CurrencyPipe`).  \n2. **Attacker-Controlled Parameter:** The `digitsInfo` parameter passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preference settings, or API responses that accept user-defined formatting options). If `digitsInfo` is trusted or limited to a known, defined range for its value, the vulnerability is not exploitable by external attackers.\n\n### Patches\n- 22.0.0-rc.2\n- 21.2.15\n- 20.3.22\n- 19.2.23\n\n### Credits\nThis vulnerability was discovered and reported by [CodeMender from Google DeepMind](https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/).",
  "id": "GHSA-p3vc-36g9-x9gr",
  "modified": "2026-06-15T16:52:30Z",
  "published": "2026-06-15T16:52:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/pull/68840"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)"
}

GHSA-PG75-V6FP-8Q59

Vulnerability from github – Published: 2023-08-01 20:16 – Updated: 2023-08-01 20:16
VLAI
Summary
Keylime's registrar vulnerable to Denial-of-service attack via a single open connection
Details

Impact

Keylime registrar is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port 8891) blocking further, legitimate connections. As long as the connection is open, the registrar is blocked and cannot serve any further clients (agents and tenants), which prevents normal operation. The problem does not affect the verifier.

Patches

Users should upgrade to release 7.4.0

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keylime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-834"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-01T20:16:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nKeylime `registrar` is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port `8891`) blocking further, legitimate connections. As long as the connection is open, the `registrar` is blocked and cannot serve any further clients (`agents` and `tenants`), which prevents normal operation. The problem does not affect the `verifier`.\n\n### Patches\nUsers should upgrade to release 7.4.0",
  "id": "GHSA-pg75-v6fp-8q59",
  "modified": "2023-08-01T20:16:29Z",
  "published": "2023-08-01T20:16:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keylime/keylime/security/advisories/GHSA-pg75-v6fp-8q59"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keylime/keylime/pull/1421"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keylime/keylime/commit/c68d8f0b7ea549c12b6956ab0f3c28ae0360ae17"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-38200"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222692"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keylime/keylime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keylime/keylime/releases/tag/v7.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keylime\u0027s registrar vulnerable to Denial-of-service attack via a single open connection"
}

GHSA-PMC4-9968-JRP7

Vulnerability from github – Published: 2021-12-31 00:00 – Updated: 2025-11-04 00:30
VLAI
Details

Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-772",
      "CWE-834"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-30T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-pmc4-9968-jrp7",
  "modified": "2025-11-04T00:30:30Z",
  "published": "2021-12-31T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4190"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-4190.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/17811"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6XGBKWSQFCVYUN4ZK3O3NJIFP3OAFVT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5AEK3XTOIOGCGUILUFISMGX54YJXWGJ"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-04"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2021-22.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PMW9-567P-68PC

Vulnerability from github – Published: 2022-10-31 18:45 – Updated: 2023-10-02 11:15
VLAI
Summary
OctoRPKI crashes when max iterations is reached
Details

Impact

Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.

Specific Go Packages Affected

github.com/cloudflare/cfrpki/cmd/octorpki

Patches

This issue is fixed in v1.4.4

Workarounds

None.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudflare/cfrpki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754",
      "CWE-834"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-31T18:45:43Z",
    "nvd_published_at": "2022-10-28T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAttackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.\n\n### Specific Go Packages Affected\ngithub.com/cloudflare/cfrpki/cmd/octorpki\n\n### Patches\nThis issue is fixed in v1.4.4\n\n### Workarounds\nNone.",
  "id": "GHSA-pmw9-567p-68pc",
  "modified": "2023-10-02T11:15:21Z",
  "published": "2022-10-31T18:45:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-pmw9-567p-68pc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3616"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/cfrpki/commit/5f64bcd13477b29cd7ddff6fff3c65dfac3423ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/cfrpki"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OctoRPKI crashes when max iterations is reached"
}

GHSA-PMWJ-R76W-M8F7

Vulnerability from github – Published: 2024-08-22 06:30 – Updated: 2024-08-22 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Add schedule points in batch ops

syzbot reported various soft lockups caused by bpf batch operations.

INFO: task kworker/1:1:27 blocked for more than 140 seconds. INFO: task hung in rcu_barrier

Nothing prevents batch ops to process huge amount of data, we need to add schedule points in them.

Note that maybe_wait_bpf_programs(map) calls from generic_map_delete_batch() can be factorized by moving the call after the loop.

This will be done later in -next tree once we get this fix merged, unless there is strong opinion doing this optimization sooner.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48939"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-834"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T04:15:17Z",
    "severity": "LOW"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add schedule points in batch ops\n\nsyzbot reported various soft lockups caused by bpf batch operations.\n\n INFO: task kworker/1:1:27 blocked for more than 140 seconds.\n INFO: task hung in rcu_barrier\n\nNothing prevents batch ops to process huge amount of data,\nwe need to add schedule points in them.\n\nNote that maybe_wait_bpf_programs(map) calls from\ngeneric_map_delete_batch() can be factorized by moving\nthe call after the loop.\n\nThis will be done later in -next tree once we get this fix merged,\nunless there is strong opinion doing this optimization sooner.",
  "id": "GHSA-pmwj-r76w-m8f7",
  "modified": "2024-08-22T21:31:29Z",
  "published": "2024-08-22T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48939"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75134f16e7dd0007aa474b281935c5f42e79f2c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e8099967d0e3ff9d1ae043e80b27fbe46c08417"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ef94bfb08fb9e73defafbd5ddef6b5a0e2ee12b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8628f489b749a4f9767991631921dbe3fbcdc784"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3CF-46PW-53QV

Vulnerability from github – Published: 2022-05-13 01:12 – Updated: 2022-05-13 01:12
VLAI
Details

In libavformat/nsvdec.c in FFmpeg 2.4 and 3.3.3, a DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted NSV file, which claims a large "table_entries_used" field in the header but does not contain sufficient backing data, is provided, the loop over 'table_entries_used' would consume huge CPU resources, since there is no EOF check inside the loop.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-834"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-07T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "In libavformat/nsvdec.c in FFmpeg 2.4 and 3.3.3, a DoS in nsv_parse_NSVf_header() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted NSV file, which claims a large \"table_entries_used\" field in the header but does not contain sufficient backing data, is provided, the loop over \u0027table_entries_used\u0027 would consume huge CPU resources, since there is no EOF check inside the loop.",
  "id": "GHSA-q3cf-46pw-53qv",
  "modified": "2022-05-13T01:12:14Z",
  "published": "2022-05-13T01:12:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14171"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/c24bcb553650b91e9eff15ef6e54ca73de2453b7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3996"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/100706"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q67R-2P55-6V2V

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2025-11-04 00:30
VLAI
Details

Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-834"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file",
  "id": "GHSA-q67r-2p55-6v2v",
  "modified": "2025-11-04T00:30:35Z",
  "published": "2023-01-26T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0411"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0411.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/18711"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/18720"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/18737"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2023-06.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ8W-GFJ5-8C6V

Vulnerability from github – Published: 2026-03-27 18:18 – Updated: 2026-05-21 18:30
VLAI
Summary
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Details

Impact

What kind of vulnerability is it?

It is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.

Who is impacted?

Applications that use serialize-javascript to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to Prototype Pollution or handles untrusted data via YAML Deserialization, as these could be used to inject the malicious object.

Patches

Has the problem been patched?

Yes, the issue has been patched by replacing instanceof Array checks with Array.isArray() and using Object.keys() for sparse array detection.

What versions should users upgrade to?

Users should upgrade to v7.0.5 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no direct code-level workaround within the library itself. However, users can mitigate the risk by:

  • Validating and sanitizing all input before passing it to the serialize() function.
  • Ensuring the environment is protected against Prototype Pollution.
  • Upgrading to v7.0.5 as soon as possible.

Acknowledgements

Serialize JavaScript thanks Tomer Aberbach (@TomerAberbach) for discovering and privately disclosing this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "serialize-javascript"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "7.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-834"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T18:18:54Z",
    "nvd_published_at": "2026-03-31T03:15:58Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n**What kind of vulnerability is it?**\n\nIt is a **Denial of Service (DoS)** vulnerability caused by CPU exhaustion. When serializing a specially crafted \"array-like\" object (an object that inherits from `Array.prototype` but has a very large `length` property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely.\n\n**Who is impacted?**\n\nApplications that use `serialize-javascript` to serialize untrusted or user-controlled objects are at risk. While direct exploitation is difficult, it becomes a high-priority threat if the application is also vulnerable to **Prototype Pollution** or handles untrusted data via **YAML Deserialization**, as these could be used to inject the malicious object.\n\n### Patches\n\n**Has the problem been patched?**\n\nYes, the issue has been patched by replacing `instanceof Array` checks with `Array.isArray()` and using `Object.keys()` for sparse array detection.\n\n**What versions should users upgrade to?**\n\nUsers should upgrade to **`v7.0.5`** or later.\n\n### Workarounds\n\n**Is there a way for users to fix or remediate the vulnerability without upgrading?**\n\nThere is no direct code-level workaround within the library itself. However, users can mitigate the risk by:\n\n* Validating and sanitizing all input before passing it to the `serialize()` function.\n* Ensuring the environment is protected against Prototype Pollution.\n* Upgrading to **`v7.0.5`** as soon as possible.\n\n### Acknowledgements\n\nSerialize JavaScript thanks **Tomer Aberbach** (@TomerAberbach) for discovering and privately disclosing this issue.",
  "id": "GHSA-qj8w-gfj5-8c6v",
  "modified": "2026-05-21T18:30:13Z",
  "published": "2026-03-27T18:18:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yahoo/serialize-javascript"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yahoo/serialize-javascript/releases/tag/v5.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects"
}

GHSA-QJRH-4WFQ-MWGP

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted mp4 file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-9253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-834"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-27T12:29:00Z",
    "severity": "HIGH"
  },
  "details": "The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted mp4 file.",
  "id": "GHSA-qjrh-4wfq-mwgp",
  "modified": "2022-05-13T01:47:51Z",
  "published": "2022-05-13T01:47:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9253"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2017/Jun/32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.