CWE-405
Asymmetric Resource Consumption (Amplification)
Description
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Hierarchy (View 1000)
CVEs mapped to this weakness (31)
page 1 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-42874 | Hig | 0.51 | 7.9 | 0.00 | Dec 9, 2025 | SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction… | ||
| CVE-2026-25611 | Hig | 0.49 | 7.5 | 0.01 | Feb 10, 2026 | A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server. | ||
| CVE-2025-8677 | Hig | 0.49 | 7.5 | 0.11 | Oct 22, 2025 | Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1… | ||
| CVE-2024-11187 | Hig | 0.49 | 7.5 | 0.15 | Jan 29, 2025 | It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use… | ||
| CVE-2024-56200 | Hig | 0.49 | 8.6 | 0.01 | Dec 19, 2024 | Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image proxy for compressing and resizing remote files could allow attacks that could affect availability, such as by abnormally increasing the CPU usage of the server… | ||
| CVE-2018-15492 | Hig | 0.49 | 7.5 | 0.01 | Aug 18, 2018 | A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification. | ||
| CVE-2024-49363 | Hig | 0.48 | 7.4 | 0.00 | Dec 18, 2024 | Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified… | ||
| CVE-2025-42876 | Hig | 0.46 | 7.1 | 0.00 | Dec 9, 2025 | Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful… | ||
| CVE-2026-44296 | Hig | 0.42 | 7.5 | 0.00 | May 12, 2026 | Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse… | ||
| CVE-2025-30204 | Hig | 0.42 | 7.5 | 0.01 | Mar 21, 2025 | golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a… | ||
| CVE-2024-34703 | Hig | 0.42 | 7.5 | 0.01 | Jun 30, 2024 | Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding… | ||
| CVE-2026-45557 | Med | 0.38 | 5.8 | 0.00 | May 19, 2026 | Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0. | ||
| CVE-2025-42873 | Med | 0.38 | 5.9 | 0.00 | Dec 9, 2025 | SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage… | ||
| CVE-2025-25186 | Med | 0.35 | 6.5 | 0.01 | Feb 10, 2025 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time… | ||
| CVE-2026-8594 | Med | 0.33 | 6.2 | 0.00 | May 30, 2026 | Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the… | ||
| CVE-2024-0450 | Med | 0.33 | 6.2 | 0.00 | Mar 19, 2024 | An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The… | ||
| CVE-2026-35665 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources… | ||
| CVE-2026-35626 | Med | 0.27 | 5.3 | 0.00 | Apr 9, 2026 | OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without… | ||
| CVE-2025-46598 | Med | 0.27 | 5.3 | 0.00 | Mar 20, 2026 | Bitcoin Core through 29.0 allows a denial of service via a crafted transaction. | ||
| CVE-2025-68480 | Med | 0.27 | 5.3 | 0.00 | Dec 22, 2025 | Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request… |
- risk 0.51cvss 7.9epss 0.00
SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction…
- risk 0.49cvss 7.5epss 0.01
A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
- risk 0.49cvss 7.5epss 0.11
Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1…
- risk 0.49cvss 7.5epss 0.15
It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use…
- risk 0.49cvss 8.6epss 0.01
Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image proxy for compressing and resizing remote files could allow attacks that could affect availability, such as by abnormally increasing the CPU usage of the server…
- risk 0.49cvss 7.5epss 0.01
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
- risk 0.48cvss 7.4epss 0.00
Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified…
- risk 0.46cvss 7.1epss 0.00
Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful…
- risk 0.42cvss 7.5epss 0.00
Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse…
- risk 0.42cvss 7.5epss 0.01
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a…
- risk 0.42cvss 7.5epss 0.01
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding…
- risk 0.38cvss 5.8epss 0.00
Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.
- risk 0.38cvss 5.9epss 0.00
SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage…
- risk 0.35cvss 6.5epss 0.01
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time…
- risk 0.33cvss 6.2epss 0.00
Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the…
- risk 0.33cvss 6.2epss 0.00
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The…
- risk 0.27cvss 5.3epss 0.00
OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources…
- risk 0.27cvss 5.3epss 0.00
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without…
- risk 0.27cvss 5.3epss 0.00
Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
- risk 0.27cvss 5.3epss 0.00
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request…