VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 23 of 49
  • CVE-2017-12432MedAug 4, 2017
    risk 0.42cvss 6.5epss 0.02

    In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadPCXImage in coders/pcx.c, which allows attackers to cause a denial of service.

  • CVE-2017-11468HigJul 20, 2017
    risk 0.42cvss 7.5epss 0.03

    Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service (memory consumption) via the manifest endpoint.

  • CVE-2016-6580HigJan 10, 2017
    risk 0.42cvss 7.5epss 0.02

    A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the…

  • CVE-2025-46569HigMay 1, 2025
    risk 0.41cvss epss 0.00

    Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego…

  • CVE-2023-38507HigSep 15, 2023
    risk 0.41cvss 7.3epss 0.01

    Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack…

  • CVE-2022-3423HigOct 7, 2022
    risk 0.41cvss 7.3epss 0.02

    Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0.

  • CVE-2026-29168HigMay 5, 2026
    risk 0.40cvss 7.3epss 0.01

    Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

  • CVE-2025-43211MedJul 30, 2025
    risk 0.40cvss 6.2epss 0.00

    The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing web content may lead to a denial-of-service.

  • CVE-2024-47969MedOct 7, 2024
    risk 0.40cvss 6.2epss 0.00

    Improper resource management in firmware of some Solidigm DC Products may allow an attacker to potentially enable denial of service.

  • CVE-2026-48779higJun 15, 2026
    risk 0.39cvss epss 0.01

    ### Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit,…

  • CVE-2026-28980higJun 12, 2026
    risk 0.39cvss epss 0.00

    ### Summary The `HTTPDecoder` in `NIOHTTP1` enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all…

  • CVE-2026-41644HigMay 7, 2026
    risk 0.39cvss 7.1epss 0.00

    monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests…

  • CVE-2025-48041HigSep 11, 2025
    risk 0.39cvss epss 0.00

    Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Flooding. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 until OTP 28.0.3,…

  • CVE-2025-59045HigSep 10, 2025
    risk 0.39cvss epss 0.00

    Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-service by triggering unbounded memory…

  • CVE-2024-26894MedApr 17, 2024
    risk 0.39cvss 6.0epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() After unregistering the CPU idle device, the memory associated with it is not freed, leading to a memory leak: unreferenced object…

  • CVE-2018-10237MedApr 26, 2018
    risk 0.39cvss 5.9epss 0.05

    Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with…

  • CVE-2017-12132MedAug 1, 2017
    risk 0.39cvss 5.9epss 0.02

    The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.

  • CVE-2016-8576MedNov 4, 2016
    risk 0.39cvss 6.0epss 0.00

    The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.

  • CVE-2026-54283higJun 15, 2026
    risk 0.38cvss epss 0.00

    ### Summary `request.form()` accepts `max_fields` and `max_part_size` to bound resource consumption while parsing form data. These limits are enforced for `multipart/form-data`, but silently ignored for `application/x-www-form-urlencoded`. An unauthenticated attacker can…

  • CVE-2026-41710MedJun 9, 2026
    risk 0.38cvss 5.9epss 0.00

    An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in…