VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 49 of 93
  • CVE-2026-47736higJun 8, 2026
    risk 0.38cvss epss 0.00

    ### Impact [PROXY protocol support for Puma](https://github.com/puma/puma/issues/2651) was added in version 5.5.0. When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present.…

  • CVE-2026-52880higJun 5, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Klever seednode REST API starts a Gin engine with `Engine.Run(restAPIInterface)`. In Gin v1.9.1, `Engine.Run` calls Go's default `http.ListenAndServe`, which constructs an HTTP server without application-level `ReadHeaderTimeout`, `ReadTimeout`, or…

  • CVE-2026-52879higJun 5, 2026
    risk 0.38cvss epss 0.00

    ### Summary `networkMessenger.directMessageHandler` in `network/p2p/libp2p/netMessenger.go` spawns a fresh goroutine for every incoming direct message before the antiflood layer makes an admission decision. There is no semaphore, throttler, or bound on concurrent in-flight…

  • CVE-2026-47249higJun 5, 2026
    risk 0.38cvss epss 0.00

    ### Summary A connected peer can send a compressed `RequestDataType_HashArrayType` direct request that is only `442` bytes on the wire but expands into `200000` decoded hash entries inside the resolver path. On `klever-go` `v1.7.17`, this allows remote memory and CPU…

  • CVE-2026-44019higJun 3, 2026
    risk 0.38cvss epss 0.00

    ### Impact In versions `>= 2.5.0, < 2.74.1`, `docling-core` could allow local `file://` image references and accepted inline `data:` content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by…

  • CVE-2026-47214higJun 3, 2026
    risk 0.38cvss epss 0.00

    ### Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted `file://` URIs enabling local file system access when `enable_local_fetch=True` - Path resolution allowed traversal outside intended directories via `../` sequences and…

  • CVE-2026-42626MedMay 22, 2026
    risk 0.38cvss 5.9epss 0.00

    HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 (JetDirect/RAW printing). An unauthenticated remote attacker on the same network can establish a persistent connection to port 9100 and send keep-alive packets,…

  • CVE-2026-45498MedKEVMay 20, 2026
    risk 0.38cvss 4.0epss 0.63

    Microsoft Defender Denial of Service Vulnerability

  • CVE-2026-45713higMay 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value (0 ⇒ "no limit"). The same applies to the HTTP /api/v1/send…

  • CVE-2026-32686MedMay 7, 2026
    risk 0.38cvss epss 0.00

    Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted…

  • CVE-2025-48040MedSep 11, 2025
    risk 0.38cvss epss 0.00

    Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3, OTP 27.3.4.3 and…

  • CVE-2025-9341MedAug 22, 2025
    risk 0.38cvss epss 0.00

    Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This…

  • CVE-2025-54572MedJul 30, 2025
    risk 0.38cvss epss 0.00

    The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is…

  • CVE-2021-3629MedMay 24, 2022
    risk 0.38cvss 5.9epss 0.01

    A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior…

  • CVE-2021-3908MedNov 11, 2021
    risk 0.38cvss 5.9epss 0.01

    OctoRPKI does not limit the depth of a certificate chain, allowing for a CA to create children in an ad-hoc fashion, thereby making tree traversal never end.

  • CVE-2020-35510MedJun 2, 2021
    risk 0.38cvss 5.9epss 0.01

    A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the…

  • CVE-2017-15119MedJul 27, 2018
    risk 0.38cvss 5.8epss 0.03

    The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep…

  • CVE-2017-16129MedJun 7, 2018
    risk 0.38cvss 5.9epss 0.02

    The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may…

  • CVE-2018-5501MedMar 1, 2018
    risk 0.38cvss 5.9epss 0.01

    In some circumstances, on F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, any 11.6.x or 11.5.x release, or 11.2.1, TCP DNS profile allows excessive buffering due to lack of flow control.

  • CVE-2018-5500MedMar 1, 2018
    risk 0.38cvss 5.9epss 0.01

    On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 - 11.6.2, every Multipath TCP (MCTCP) connection established leaks a small amount of memory. Virtual server using TCP profile with Multipath TCP (MCTCP) feature enabled will be affected by this issue.