VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 27 of 49
  • CVE-2026-41726MedJun 10, 2026
    risk 0.35cvss 6.5epss 0.00

    When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for…

  • CVE-2026-45023MedMay 28, 2026
    risk 0.35cvss 5.4epss 0.00

    AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit…

  • CVE-2026-42256MedMay 9, 2026
    risk 0.35cvss 6.5epss 0.00

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a…

  • CVE-2026-39414MedApr 8, 2026
    risk 0.35cvss 6.5epss 0.00

    MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's…

  • CVE-2026-35441MedApr 6, 2026
    risk 0.35cvss 6.5epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to…

  • CVE-2026-34756MedApr 6, 2026
    risk 0.35cvss 6.5epss 0.00

    vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest…

  • CVE-2026-34755MedApr 6, 2026
    risk 0.35cvss 6.5epss 0.00

    vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame…

  • CVE-2026-33658MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes…

  • CVE-2026-33541MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing…

  • CVE-2026-33438MedMar 26, 2026
    risk 0.35cvss 6.5epss 0.00

    Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service (DoS) vulnerability in the Stirling-PDF watermark functionality (`/api/v1/security/add-watermark`…

  • CVE-2025-32959MedApr 22, 2025
    risk 0.35cvss 6.5epss 0.00

    CUBA Platform is a high level framework for enterprise applications development. Prior to version 7.2.23, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing…

  • CVE-2025-24317MedApr 4, 2025
    risk 0.35cvss 5.3epss 0.01

    Allocation of resources without limits or throttling issue exists in HMI ViewJet C-more series and HMI GC-A2 series, which may allow a remote unauthenticated attacker to cause a denial-of-service (DoS) condition.

  • CVE-2025-25186MedFeb 10, 2025
    risk 0.35cvss 6.5epss 0.01

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time…

  • CVE-2023-45290MedMar 5, 2024
    risk 0.35cvss 6.5epss 0.01

    When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form…

  • CVE-2024-25143MedFeb 7, 2024
    risk 0.35cvss 6.5epss 0.01

    The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older unsupported versions, does not limit resource consumption when generating a preview image, which…

  • CVE-2024-24752MedFeb 1, 2024
    risk 0.35cvss 6.5epss 0.01

    Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is…

  • CVE-2023-6476MedJan 9, 2024
    risk 0.35cvss 6.5epss 0.01

    A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node.

  • CVE-2023-46738MedJan 3, 2024
    risk 0.35cvss 6.5epss 0.01

    CubeFS is an open-source cloud-native file storage system. A security vulnerability was found in CubeFS HandlerNode in versions prior to 3.3.1 that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from…

  • CVE-2023-5573MedOct 13, 2023
    risk 0.35cvss 6.5epss 0.01

    Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.

  • CVE-2023-4138MedAug 3, 2023
    risk 0.35cvss 6.5epss 0.00

    Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.0.