VYPR

CWE-770

Allocation of Resources Without Limits or Throttling

BaseIncompleteLikelihood: High

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528

CVEs mapped to this weakness (964)

page 5 of 49
  • CVE-2026-23826HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker to exploit this vulnerability by sending specially crafted network packets to the affected device, potentially resulting in a denial-of-service condition.…

  • CVE-2026-22925HigMay 12, 2026
    risk 0.49cvss 7.5epss 0.00

    A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets This could allow an attacker to render the service unavailable and cause…

  • CVE-2026-7541HigMay 7, 2026
    risk 0.49cvss 7.5epss 0.00

    A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled…

  • CVE-2025-66369HigMay 5, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a…

  • CVE-2026-7768HigMay 4, 2026
    risk 0.49cvss 7.5epss 0.00

    @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually…

  • CVE-2026-42236HigMay 4, 2026
    risk 0.49cvss 7.5epss 0.00

    n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could…

  • CVE-2026-42198HigApr 29, 2026
    risk 0.49cvss 7.5epss 0.01

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very…

  • CVE-2026-5440HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.01

    A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely…

  • CVE-2026-5439HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a…

  • CVE-2026-5438HigApr 9, 2026
    risk 0.49cvss 7.5epss 0.00

    A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can…

  • CVE-2026-35405HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the…

  • CVE-2026-35562HigApr 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Allocation of resources without limits in the parsing components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to cause a denial of service by delivering crafted input that triggers excessive resource consumption during the driver's parsing operations. …

  • CVE-2026-31935HigApr 2, 2026
    risk 0.49cvss 7.5epss 0.00

    Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, flooding of craft HTTP2 continuation frames can lead to memory exhaustion, usually resulting in the Suricata process being shut down by the operating system. This issue has been patched in…

  • CVE-2026-26130HigMar 10, 2026
    risk 0.49cvss 7.5epss 0.03

    Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

  • CVE-2019-25350HigFeb 18, 2026
    risk 0.49cvss 7.5epss 0.00

    XMedia Recode 3.4.8.6 contains a denial of service vulnerability that allows attackers to crash the application by loading a specially crafted .m3u playlist file. Attackers can create a malicious .m3u file with an oversized buffer to trigger an application crash when the file is…

  • CVE-2019-25342HigFeb 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Centova Cast 3.2.12 contains a denial of service vulnerability that allows attackers to overwhelm the system by repeatedly calling the database export API endpoint. Attackers can trigger 100% CPU load by sending multiple concurrent requests to the /api.php endpoint with crafted…

  • CVE-2026-1837HigFeb 11, 2026
    risk 0.49cvss 7.5epss 0.00

    A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data. This can be done by requesting color transformation of grayscale images to…

  • CVE-2020-37143HigFeb 5, 2026
    risk 0.49cvss 7.5epss 0.00

    ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password field with 257 bytes of repeated characters to trigger an application crash and…

  • CVE-2020-37134HigFeb 5, 2026
    risk 0.49cvss 7.5epss 0.00

    UltraVNC Viewer 1.2.4.0 contains a denial of service vulnerability that allows attackers to crash the application by manipulating VNC Server input. Attackers can generate a malformed 256-byte payload and paste it into the VNC Server connection dialog to trigger an application…

  • CVE-2020-37085HigFeb 3, 2026
    risk 0.49cvss 7.5epss 0.00

    VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing…