VYPR

CWE-407

Inefficient Algorithmic Complexity

ClassIncompleteLikelihood: Low

Description

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Hierarchy (View 1000)

Parents

Children

CVEs mapped to this weakness (67)

page 3 of 4
  • CVE-2025-23020MedFeb 20, 2025
    risk 0.27cvss 5.3epss 0.01

    An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs…

  • CVE-2026-11312LowJun 5, 2026
    risk 0.21cvss 3.3epss 0.00

    A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a…

  • CVE-2026-6042LowApr 10, 2026
    risk 0.21cvss 3.3epss 0.00

    A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local…

  • CVE-2025-66382LowNov 28, 2025
    risk 0.19cvss 2.9epss 0.00

    In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

  • CVE-2023-30421LowApr 19, 2025
    risk 0.19cvss 2.9epss 0.00

    mystrtod in mjson 1.2.7 requires more than a billion iterations during processing of certain digit strings such as 8891110122900e913013935755114.

  • CVE-2026-45186LowMay 10, 2026
    risk 0.12cvss 2.9epss 0.00

    In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

  • CVE-2026-55206Jun 19, 2026
    risk 0.00cvss epss

    ### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed.…

  • CVE-2026-49460Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/FlateDecode` filter with a PNG predictor. ### Patches This has been fixed in [pypdf==6.12.2](https://github.com/py-pdf/pypdf/release…

  • CVE-2026-48988Jun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the `typographer: true` option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time,…

  • CVE-2026-53550Jun 15, 2026
    risk 0.00cvss epss 0.00

    ### Summary A crafted YAML document can trigger algorithmic CPU exhaustion in `js-yaml` merge-key processing (`<<`) by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event…

  • CVE-2026-33123Mar 20, 2026
    risk 0.00cvss epss 0.00

    pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed…

  • CVE-2026-28804Mar 6, 2026
    risk 0.00cvss epss 0.00

    pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version…

  • CVE-2026-27903Feb 26, 2026
    risk 0.00cvss epss 0.01

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple…

  • CVE-2025-47911Feb 5, 2026
    risk 0.00cvss epss 0.01

    The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

  • CVE-2025-14550Feb 3, 2026
    risk 0.00cvss epss 0.01

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,…

  • CVE-2026-1285Feb 3, 2026
    risk 0.00cvss epss 0.01

    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause…

  • CVE-2025-14822Jan 16, 2026
    risk 0.00cvss epss 0.00

    Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

  • CVE-2025-64460Dec 2, 2025
    risk 0.00cvss epss 0.02

    An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion…

  • CVE-2025-64458Nov 5, 2025
    risk 0.00cvss epss 0.02

    An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect`…

  • CVE-2025-55304Aug 29, 2025
    risk 0.00cvss epss 0.00

    Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to…