VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 12 of 49
  • CVE-2025-62666MedOct 18, 2025
    risk 0.45cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.

  • CVE-2025-61775MedOct 13, 2025
    risk 0.45cvss epss 0.00

    Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a…

  • CVE-2025-48738MedMay 23, 2025
    risk 0.45cvss epss 0.00

    An e-mail flooding vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows unauthenticated remote attackers to use the password reset feature without limits. This can lead to several consequences, including…

  • CVE-2023-24998HigFeb 20, 2023
    risk 0.45cvss 7.5epss 0.47

    Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new…

  • CVE-2025-31990MedFeb 7, 2026
    risk 0.44cvss 6.8epss 0.00

    Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate…

  • CVE-2025-11044MedJan 19, 2026
    risk 0.44cvss 6.8epss 0.00

    An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent…

  • CVE-2018-15399MedOct 5, 2018
    risk 0.44cvss 6.8epss 0.02

    A vulnerability in the TCP syslog module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust the 1550-byte buffers on an affected device, resulting in a denial of service…

  • CVE-2024-31446HigApr 16, 2024
    risk 0.43cvss 7.7epss 0.01

    OpenComputers is a Minecraft mod that adds programmable computers and robots to the game. A user can use OpenComputers to get a Computer thread stuck in the Lua VM, which eventually blocks the Server thread, requiring the server to be forcibly shut down. This can be accomplished…

  • CVE-2023-6563HigDec 14, 2023
    risk 0.43cvss 7.7epss 0.01

    An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open…

  • CVE-2019-12406MedNov 6, 2019
    risk 0.43cvss 6.5epss 0.06

    Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments.…

  • CVE-2019-10093MedAug 2, 2019
    risk 0.43cvss 6.5epss 0.04

    In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file could consume all available SAXParsers in the pool and lead to very long hangs. Apache Tika users should upgrade to 1.22 or later.

  • CVE-2019-1002100MedApr 1, 2019
    risk 0.43cvss 6.5epss 0.11

    In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" (e.g. `kubectl patch --type json` or `"Content-Type:…

  • CVE-2017-18219MedMar 5, 2018
    risk 0.43cvss 6.5epss 0.04

    An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted file that triggers an attempt at a large png_pixels array allocation.

  • CVE-2018-7443MedFeb 23, 2018
    risk 0.43cvss 6.5epss 0.03

    The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate the amount of image data in a file, which allows remote attackers to cause a denial of service (memory allocation failure in the AcquireMagickMemory function in…

  • CVE-2017-14107MedSep 1, 2017
    risk 0.43cvss 6.5epss 0.03

    The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mishandles EOCD records, which allows remote attackers to cause a denial of service (memory allocation failure in _zip_cdir_grow in zip_dirent.c) via a crafted ZIP archive.

  • CVE-2017-11525MedJul 23, 2017
    risk 0.43cvss 6.5epss 0.04

    The ReadCINImage function in coders/cin.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.

  • CVE-2008-5180MedNov 20, 2008
    risk 0.43cvss 5.3epss 0.68

    Microsoft Communicator, and Communicator in Microsoft Office 2010 beta, allows remote attackers to cause a denial of service (memory consumption) via a large number of SIP INVITE requests, which trigger the creation of many sessions.

  • CVE-2026-12151impJun 17, 2026
    risk 0.42cvss 7.5epss 0.01

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-8683MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost…

  • CVE-2026-44488HigJun 11, 2026
    risk 0.42cvss 7.5epss 0.01

    Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments…