CWE-407
Inefficient Algorithmic Complexity
Description
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Hierarchy (View 1000)
CVEs mapped to this weakness (67)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-23020 | — | Med | 0.27 | 5.3 | 0.01 | Feb 20, 2025 | An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs… | |
| CVE-2026-11312 | Low | 0.21 | 3.3 | 0.00 | Jun 5, 2026 | A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a… | ||
| CVE-2026-6042 | Low | 0.21 | 3.3 | 0.00 | Apr 10, 2026 | A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local… | ||
| CVE-2025-66382 | Low | 0.19 | 2.9 | 0.00 | Nov 28, 2025 | In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time. | ||
| CVE-2023-30421 | Low | 0.19 | 2.9 | 0.00 | Apr 19, 2025 | mystrtod in mjson 1.2.7 requires more than a billion iterations during processing of certain digit strings such as 8891110122900e913013935755114. | ||
| CVE-2026-45186 | Low | 0.12 | 2.9 | 0.00 | May 10, 2026 | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | ||
| CVE-2026-55206 | 0.00 | — | — | Jun 19, 2026 | ### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed.… | |||
| CVE-2026-49460 | 0.00 | — | 0.00 | Jun 16, 2026 | ### Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/FlateDecode` filter with a PNG predictor. ### Patches This has been fixed in [pypdf==6.12.2](https://github.com/py-pdf/pypdf/release… | |||
| CVE-2026-48988 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time,… | |||
| CVE-2026-53550 | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event… | |||
| CVE-2026-33123 | 0.00 | — | 0.00 | Mar 20, 2026 | pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed… | |||
| CVE-2026-28804 | 0.00 | — | 0.00 | Mar 6, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version… | |||
| CVE-2026-27903 | — | 0.00 | — | 0.01 | Feb 26, 2026 | minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple… | ||
| CVE-2025-47911 | — | 0.00 | — | 0.01 | Feb 5, 2026 | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | ||
| CVE-2025-14550 | 0.00 | — | 0.01 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,… | |||
| CVE-2026-1285 | 0.00 | — | 0.01 | Feb 3, 2026 | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause… | |||
| CVE-2025-14822 | 0.00 | — | 0.00 | Jan 16, 2026 | Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | |||
| CVE-2025-64460 | 0.00 | — | 0.02 | Dec 2, 2025 | An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion… | |||
| CVE-2025-64458 | 0.00 | — | 0.02 | Nov 5, 2025 | An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`… | |||
| CVE-2025-55304 | 0.00 | — | 0.00 | Aug 29, 2025 | Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to… |
- risk 0.27cvss 5.3epss 0.01
An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs…
- risk 0.21cvss 3.3epss 0.00
A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a…
- risk 0.21cvss 3.3epss 0.00
A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local…
- risk 0.19cvss 2.9epss 0.00
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
- risk 0.19cvss 2.9epss 0.00
mystrtod in mjson 1.2.7 requires more than a billion iterations during processing of certain digit strings such as 8891110122900e913013935755114.
- risk 0.12cvss 2.9epss 0.00
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
- CVE-2026-55206Jun 19, 2026risk 0.00cvss —epss —
### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed.…
- CVE-2026-49460Jun 16, 2026risk 0.00cvss —epss 0.00
### Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/FlateDecode` filter with a PNG predictor. ### Patches This has been fixed in [pypdf==6.12.2](https://github.com/py-pdf/pypdf/release…
- CVE-2026-48988Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time,…
- CVE-2026-53550Jun 15, 2026risk 0.00cvss —epss 0.00
### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event…
- CVE-2026-33123Mar 20, 2026risk 0.00cvss —epss 0.00
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed…
- CVE-2026-28804Mar 6, 2026risk 0.00cvss —epss 0.00
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version…
- CVE-2026-27903Feb 26, 2026risk 0.00cvss —epss 0.01
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple…
- CVE-2025-47911Feb 5, 2026risk 0.00cvss —epss 0.01
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
- CVE-2025-14550Feb 3, 2026risk 0.00cvss —epss 0.01
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,…
- CVE-2026-1285Feb 3, 2026risk 0.00cvss —epss 0.01
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause…
- CVE-2025-14822Jan 16, 2026risk 0.00cvss —epss 0.00
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
- CVE-2025-64460Dec 2, 2025risk 0.00cvss —epss 0.02
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion…
- CVE-2025-64458Nov 5, 2025risk 0.00cvss —epss 0.02
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`…
- CVE-2025-55304Aug 29, 2025risk 0.00cvss —epss 0.00
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to…