CWE-400
Uncontrolled Resource Consumption
Description
The product does not properly control the allocation and maintenance of a limited resource.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-147 · CAPEC-227 · CAPEC-492
CVEs mapped to this weakness (1,853)
page 33 of 93| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31210 | Med | 0.42 | 6.5 | 0.00 | May 12, 2025 | The issue was addressed with improved UI. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7. Processing web content may lead to a denial-of-service. | ||
| CVE-2025-47270 | Hig | 0.42 | 7.5 | 0.01 | May 12, 2025 | nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The `nimiq-network-libp2p` subcrate of nimiq/core-rs-albatross is vulnerable to a Denial of Service (DoS) attack due to uncontrolled memory… | ||
| CVE-2025-2820 | — | Med | 0.42 | 6.5 | 0.00 | Mar 26, 2025 | An authenticated attacker can compromise the availability of the device via the network | |
| CVE-2024-10188 | Hig | 0.42 | 7.5 | 0.01 | Mar 20, 2025 | A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python… | ||
| CVE-2025-27421 | — | Hig | 0.42 | 7.5 | 0.00 | Mar 3, 2025 | Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly… | |
| CVE-2024-54658 | Med | 0.42 | 6.5 | 0.01 | Feb 10, 2025 | The issue was addressed with improved memory handling. This issue is fixed in Safari 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, watchOS 10.4. Processing web content may lead to a denial-of-service. | ||
| CVE-2024-57085 | Hig | 0.42 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57079 | Hig | 0.42 | 7.5 | 0.00 | Feb 5, 2025 | A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | ||
| CVE-2024-57075 | — | Hig | 0.42 | 7.5 | 0.01 | Feb 5, 2025 | A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |
| CVE-2024-12698 | — | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2024 | An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticated streams were protected, not streams created by authenticated sources. | |
| CVE-2024-12254 | Hig | 0.42 | 7.5 | 0.02 | Dec 6, 2024 | Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically… | ||
| CVE-2023-1973 | Hig | 0.42 | 7.5 | 0.01 | Nov 7, 2024 | A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory. | ||
| CVE-2024-6162 | Hig | 0.42 | 7.5 | 0.02 | Jun 20, 2024 | A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path… | ||
| CVE-2024-27812 | Med | 0.42 | 6.5 | 0.01 | Jun 10, 2024 | A logic issue was addressed with improved file handling. This issue is fixed in visionOS 1.2. Processing web content may lead to a denial-of-service. | ||
| CVE-2024-27800 | Med | 0.42 | 6.5 | 0.01 | Jun 10, 2024 | This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7, tvOS 17.5, visionOS 1.2, watchOS 10.5. Processing a maliciously crafted… | ||
| CVE-2024-33655 | Hig | 0.42 | 7.5 | 0.02 | Jun 6, 2024 | The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification… | ||
| CVE-2024-29857 | Hig | 0.42 | 7.5 | 0.01 | May 14, 2024 | An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during… | ||
| CVE-2024-34084 | Hig | 0.42 | 7.5 | 0.01 | May 7, 2024 | Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the… | ||
| CVE-2024-32972 | Hig | 0.42 | 7.5 | 0.01 | May 6, 2024 | go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in… | ||
| CVE-2024-32984 | Hig | 0.42 | 7.5 | 0.01 | May 1, 2024 | Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this… |
- risk 0.42cvss 6.5epss 0.00
The issue was addressed with improved UI. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7. Processing web content may lead to a denial-of-service.
- risk 0.42cvss 7.5epss 0.01
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The `nimiq-network-libp2p` subcrate of nimiq/core-rs-albatross is vulnerable to a Denial of Service (DoS) attack due to uncontrolled memory…
- risk 0.42cvss 6.5epss 0.00
An authenticated attacker can compromise the availability of the device via the network
- risk 0.42cvss 7.5epss 0.01
A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python…
- risk 0.42cvss 7.5epss 0.00
Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly…
- risk 0.42cvss 6.5epss 0.01
The issue was addressed with improved memory handling. This issue is fixed in Safari 17.4, iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, tvOS 17.4, visionOS 1.1, watchOS 10.4. Processing web content may lead to a denial-of-service.
- risk 0.42cvss 7.5epss 0.00
A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.42cvss 7.5epss 0.00
A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.42cvss 7.5epss 0.01
A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- risk 0.42cvss 6.5epss 0.00
An incomplete fix for ose-olm-catalogd-container was issued for the Rapid Reset Vulnerability (CVE-2023-39325/CVE-2023-44487) where only unauthenticated streams were protected, not streams created by authenticated sources.
- risk 0.42cvss 7.5epss 0.02
Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically…
- risk 0.42cvss 7.5epss 0.01
A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory.
- risk 0.42cvss 7.5epss 0.02
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path…
- risk 0.42cvss 6.5epss 0.01
A logic issue was addressed with improved file handling. This issue is fixed in visionOS 1.2. Processing web content may lead to a denial-of-service.
- risk 0.42cvss 6.5epss 0.01
This issue was addressed by removing the vulnerable code. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7, tvOS 17.5, visionOS 1.2, watchOS 10.5. Processing a maliciously crafted…
- risk 0.42cvss 7.5epss 0.02
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification…
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during…
- risk 0.42cvss 7.5epss 0.01
Minder's `HandleGithubWebhook` is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the…
- risk 0.42cvss 7.5epss 0.01
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to 1.13.15, a vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix has been included in…
- risk 0.42cvss 7.5epss 0.01
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this…