VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 32 of 93
  • CVE-2026-33204HigMar 20, 2026
    risk 0.42cvss 7.5epss 0.00

    SimpleJWT is a simple JSON web token library written in PHP. Prior to version 1.1.1, an unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt() on attacker-controlled JWEs using PBES2…

  • CVE-2026-33155HigMar 20, 2026
    risk 0.42cvss 7.5epss 0.00

    DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in…

  • CVE-2026-25667HigMar 19, 2026
    risk 0.42cvss 7.5epss 0.03

    ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

  • CVE-2026-30405HigMar 16, 2026
    risk 0.42cvss 7.5epss 0.00

    An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXT_HOP path attribute

  • CVE-2026-31958HigMar 11, 2026
    risk 0.42cvss 7.5epss 0.00

    Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this…

  • CVE-2026-32062HigMar 11, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote…

  • CVE-2026-21619HigFeb 27, 2026
    risk 0.42cvss 7.5epss 0.01

    Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with…

  • CVE-2025-8872MedDec 16, 2025
    risk 0.42cvss 6.5epss 0.00

    On affected platforms running Arista EOS with OSPFv3 configured, a specially crafted packet can cause the OSFPv3 process to have high CPU utilization which may result in the OSFPv3 process being restarted. This may cause disruption in the OSFPv3 routes on the switch. This issue…

  • CVE-2025-66453HigDec 3, 2025
    risk 0.42cvss 7.5epss 0.00

    Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial…

  • CVE-2025-6176HigOct 31, 2025
    risk 0.42cvss 7.5epss 0.01

    Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less…

  • CVE-2025-62727HigOct 28, 2025
    risk 0.42cvss 7.5epss 0.01

    Starlette is a lightweight ASGI framework/toolkit. Starting in version 0.39.0 and prior to version 0.49.1 , an unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This…

  • CVE-2025-37148MedOct 14, 2025
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in the parsing of ethernet frames in AOS-8 Instant and AOS 10 could allow an unauthenticated remote attacker to conduct a denial of service attack. Successful exploitation could allow an attacker to potentially disrupt network services and require manual…

  • CVE-2025-11573HigOct 9, 2025
    risk 0.42cvss 7.5epss 0.00

    An infinite loop issue in Amazon.IonDotnet library versions <v1.3.2 may allow a threat actor to cause a denial of service through a specially crafted text input. To mitigate this issue, users should upgrade to version v1.3.2. As of August 20, 2025, this library has been…

  • CVE-2025-11149HigSep 30, 2025
    risk 0.42cvss 7.5epss 0.00

    This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.

  • CVE-2025-55028MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.

  • CVE-2025-50861MedAug 14, 2025
    risk 0.42cvss 6.5epss 0.00

    The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 contains an exported component, PushDeepLinkActivity, which is accessible without authentication via ADB or malicious apps. This poses a risk of unintended access to application internals and can cause denial of…

  • CVE-2025-24294HigJul 12, 2025
    risk 0.42cvss 7.5epss 0.01

    The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the…

  • CVE-2025-44559MedJun 27, 2025
    risk 0.42cvss 6.5epss 0.00

    An issue in the Bluetooth Low Energy (BLE) stack of Realtek RTL8762E BLE SDK v1.4.0 allows attackers within Bluetooth range to cause a Denial of Service (DoS) via sending a specific sequence of crafted control packets.

  • CVE-2025-3112MedJun 10, 2025
    risk 0.42cvss 6.5epss 0.01

    CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause Denial of Service when an authenticated malicious user sends manipulated HTTPS Content-Length header to the webserver.

  • CVE-2025-22892MedMay 13, 2025
    risk 0.42cvss 6.5epss 0.00

    Uncontrolled resource consumption for some OpenVINO™ model server software maintained by Intel(R) before version 2024.4 may allow an unauthenticated user to potentially enable denial of service via adjacent access.