VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 4 of 49
  • CVE-2026-1659HigMay 14, 2026
    risk 0.49cvss 7.5epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input…

  • CVE-2025-14870HigMay 14, 2026
    risk 0.49cvss 7.5epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient…

  • CVE-2026-42561HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the…

  • CVE-2026-42583HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload…

  • CVE-2026-42582HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before…

  • CVE-2026-44004HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single…

  • CVE-2026-41227HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support…

  • CVE-2026-40629HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-40423HigMay 13, 2026
    risk 0.49cvss 7.5epss 0.00

    When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2026-23826HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker to exploit this vulnerability by sending specially crafted network packets to the affected device, potentially resulting in a denial-of-service condition.…

  • CVE-2026-22925HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets This could allow an attacker to render the service unavailable and cause…

  • CVE-2026-7541HigMay 7, 2026
    risk 0.49cvss 7.5epss 0.00

    A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled…

  • CVE-2025-66369HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a…

  • CVE-2026-7768HigMay 4, 2026
    risk 0.49cvss 7.5epss 0.00

    @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually…

  • CVE-2026-42236HigMay 4, 2026
    risk 0.49cvss 7.5epss 0.00

    n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could…

  • CVE-2026-42198HigApr 29, 2026
    risk 0.49cvss 7.5epss 0.00

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very…

  • CVE-2026-5440HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.01

    A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely…

  • CVE-2026-5439HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a…

  • CVE-2026-5438HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can…

  • CVE-2026-35405HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the…