VYPR

CWE-405

Asymmetric Resource Consumption (Amplification)

ClassIncomplete

Description

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.

Hierarchy (View 1000)

CVEs mapped to this weakness (31)

page 1 of 2
  • CVE-2025-42874HigDec 9, 2025
    risk 0.51cvss 7.9epss 0.00

    SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction…

  • CVE-2026-25611HigFeb 10, 2026
    risk 0.49cvss 7.5epss 0.01

    A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.

  • CVE-2025-8677HigOct 22, 2025
    risk 0.49cvss 7.5epss 0.11

    Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1…

  • CVE-2024-11187HigJan 29, 2025
    risk 0.49cvss 7.5epss 0.15

    It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use…

  • CVE-2024-56200HigDec 19, 2024
    risk 0.49cvss 8.6epss 0.01

    Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image proxy for compressing and resizing remote files could allow attacks that could affect availability, such as by abnormally increasing the CPU usage of the server…

  • CVE-2018-15492HigAug 18, 2018
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.

  • CVE-2024-49363HigDec 18, 2024
    risk 0.48cvss 7.4epss 0.00

    Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, which allows remote actors to execute a self-propagating reflected/amplified…

  • CVE-2025-42876HigDec 9, 2025
    risk 0.46cvss 7.1epss 0.00

    Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful…

  • CVE-2026-44296HigMay 12, 2026
    risk 0.42cvss 7.5epss 0.00

    Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse…

  • CVE-2025-30204HigMar 21, 2025
    risk 0.42cvss 7.5epss 0.01

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a…

  • CVE-2024-34703HigJun 30, 2024
    risk 0.42cvss 7.5epss 0.01

    Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding…

  • CVE-2026-45557MedMay 19, 2026
    risk 0.38cvss 5.8epss 0.00

    Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.

  • CVE-2025-42873MedDec 9, 2025
    risk 0.38cvss 5.9epss 0.00

    SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage…

  • CVE-2025-25186MedFeb 10, 2025
    risk 0.35cvss 6.5epss 0.01

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time…

  • CVE-2026-8594MedMay 30, 2026
    risk 0.33cvss 6.2epss 0.00

    Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the…

  • CVE-2024-0450MedMar 19, 2024
    risk 0.33cvss 6.2epss 0.00

    An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The…

  • CVE-2026-35665MedApr 10, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources…

  • CVE-2026-35626MedApr 9, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without…

  • CVE-2025-46598MedMar 20, 2026
    risk 0.27cvss 5.3epss 0.00

    Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.

  • CVE-2025-68480MedDec 22, 2025
    risk 0.27cvss 5.3epss 0.00

    Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request…