Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5428 vulnerabilities reference this CWE, most recent first.

GHSA-Q5C4-39F5-M68J

Vulnerability from github – Published: 2018-07-24 20:00 – Updated: 2023-09-08 20:01
VLAI
Summary
Regular Expression Denial of Service in decamelize
Details

Affected versions of decamelize are susceptible to a denial of service vulnerability when user input is passed directly into decamelize.

Recommendation

Update to version 1.1.2 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "decamelize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:51:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `decamelize` are susceptible to a denial of service vulnerability when user input is passed directly into `decamelize`.\n\n\n\n\n## Recommendation\n\nUpdate to version 1.1.2 or later.",
  "id": "GHSA-q5c4-39f5-m68j",
  "modified": "2023-09-08T20:01:42Z",
  "published": "2018-07-24T20:00:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16023"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sindresorhus/decamelize/issues/5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q5c4-39f5-m68j"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/308"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in decamelize"
}

GHSA-Q5F4-25C6-4R45

Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05
VLAI
Details

A vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit. Once the IRI next-hop database is full, no further next hops can be learned and existing entries cannot be cleared, leading to a sustained denial of service (DoS) condition. An indicator of compromise for this issue is the report of the following error message: %KERN-4: Nexthop index allocation failed: private index space exhausted This issue only affects the management interface, and does not impact regular transit traffic through the FPCs. This issue also only affects Junos OS 17.3R3. No prior versions of Junos OS are affected by this issue. Affected releases are Juniper Networks Junos OS: 17.3R3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-10T18:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit. Once the IRI next-hop database is full, no further next hops can be learned and existing entries cannot be cleared, leading to a sustained denial of service (DoS) condition. An indicator of compromise for this issue is the report of the following error message: %KERN-4: Nexthop index allocation failed: private index space exhausted This issue only affects the management interface, and does not impact regular transit traffic through the FPCs. This issue also only affects Junos OS 17.3R3. No prior versions of Junos OS are affected by this issue. Affected releases are Juniper Networks Junos OS: 17.3R3.",
  "id": "GHSA-q5f4-25c6-4r45",
  "modified": "2022-05-13T01:05:21Z",
  "published": "2022-05-13T01:05:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0063"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10899"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041861"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5HQ-FP76-QMRC

Vulnerability from github – Published: 2021-06-08 18:49 – Updated: 2024-10-14 21:38
VLAI
Summary
Uncontrolled Resource Consumption in Pillow
Details

An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \r and \n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pillow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-28677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-03T21:33:17Z",
    "nvd_published_at": "2021-06-02T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Pillow before 8.2.0. For EPS data, the readline implementation used in EPSImageFile has to deal with any combination of \\r and \\n as line endings. It used an accidentally quadratic method of accumulating lines while looking for a line ending. A malicious EPS file could use this to perform a DoS of Pillow in the open phase, before an image was accepted for opening.",
  "id": "GHSA-q5hq-fp76-qmrc",
  "modified": "2024-10-14T21:38:36Z",
  "published": "2021-06-08T18:49:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/pull/5377"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q5hq-fp76-qmrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2021-93.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-pillow/Pillow"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQHA5HAIBOYI3R6HDWCLAGFTIQP767FL"
    },
    {
      "type": "WEB",
      "url": "https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-33"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in Pillow"
}

GHSA-Q5PR-72PQ-83V3

Vulnerability from github – Published: 2026-03-23 21:44 – Updated: 2026-03-23 21:49
VLAI
Summary
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service
Details

Summary

The setChunkedCookie() and deleteChunkedCookie() functions in h3 trust the chunk count parsed from a user-controlled cookie value (__chunked__N) without any upper bound validation. An unauthenticated attacker can send a single request with a crafted cookie header (e.g., Cookie: h3=__chunked__999999) to any endpoint using sessions, causing the server to enter an O(n²) loop that hangs the process.

Details

The chunked cookie system stores large cookie values by splitting them into numbered chunks. The main cookie stores a sentinel value __chunked__N indicating how many chunks exist. When setting a new chunked cookie, the code cleans up any previous chunks that are no longer needed.

The vulnerability is in getChunkedCookieCount() at src/utils/cookie.ts:244-249:

function getChunkedCookieCount(cookie: string | undefined): number {
  if (!cookie?.startsWith(CHUNKED_COOKIE)) {
    return Number.NaN;
  }
  return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
  // No upper bound check — attacker controls this value
}

This value is consumed without validation in the cleanup loop of setChunkedCookie() at src/utils/cookie.ts:182-190:

const previousCookie = getCookie(event, name); // reads from request headers
if (previousCookie?.startsWith(CHUNKED_COOKIE)) {
  const previousChunkCount = getChunkedCookieCount(previousCookie);
  if (previousChunkCount > chunkCount) {
    for (let i = chunkCount; i <= previousChunkCount; i++) {
      deleteCookie(event, chunkCookieName(name, i), options);
      // Each deleteCookie → setCookie → scans ALL existing set-cookie headers
    }
  }
}

The same issue exists in deleteChunkedCookie() at src/utils/cookie.ts:227-232:

const chunksCount = getChunkedCookieCount(mainCookie);
if (chunksCount >= 0) {
  for (let i = 0; i < chunksCount; i++) {
    deleteCookie(event, chunkCookieName(name, i + 1), serializeOptions);
  }
}

The exploit chain through sessions:

  1. Attacker sends Cookie: h3=__chunked__999999 to any session-using endpoint
  2. getSession() (src/utils/session.ts:83) calls getChunkedCookie(event, "h3") (line 124)
  3. getChunkedCookie() returns undefined — the early return at line 153 fires because no actual chunk cookies (e.g., h3.1) exist in the request
  4. Since sealedSession is undefined, session.id remains empty (line 140), triggering updateSession() (line 143)
  5. updateSession() calls setChunkedCookie() with the newly sealed session value (line 179)
  6. Inside setChunkedCookie(), getCookie(event, name) re-reads the original request cookie __chunked__999999 at line 182
  7. previousChunkCount = 999999, chunkCount = 1 (new sealed session is small)
  8. The cleanup loop runs 999,998 iterations, each calling deleteCookie()setCookie()
  9. Each setCookie() call reads ALL existing set-cookie response headers via getSetCookie() (line 91) and iterates through them for deduplication (lines 100-106)
  10. This creates O(n²) complexity — approximately 10¹² operations for n=999999

Key observation: While getChunkedCookie() has an early-return optimization (line 153) that prevents it from looping on missing chunks, the cleanup loops in setChunkedCookie() and deleteChunkedCookie() have no such protection and run unconditionally for the full claimed chunk count.

PoC

Prerequisites: An h3 application with any endpoint using getSession() or useSession().

Example minimal server:

import { H3 } from "h3";
import { getSession } from "h3";

const app = new H3();

app.get("/dashboard", async (event) => {
  const session = await getSession(event, {
    password: "my-secret-password-at-least-32-chars-long!",
  });
  return { user: session.data.user || "anonymous" };
});

export default app;

Attack (single request, no authentication):

# This single request will hang the server process
curl -H 'Cookie: h3=__chunked__999999' http://localhost:3000/dashboard

For a less extreme but still impactful test:

# ~100K iterations — will take several seconds and block all other requests
curl -H 'Cookie: h3=__chunked__100000' http://localhost:3000/dashboard

The deleteChunkedCookie() path is exploitable via clearSession():

app.post("/logout", async (event) => {
  await clearSession(event, {
    password: "my-secret-password-at-least-32-chars-long!",
  });
  return { ok: true };
});
curl -X POST -H 'Cookie: h3=__chunked__999999' http://localhost:3000/logout

Impact

  • Complete Denial of Service: A single unauthenticated request with a 27-byte cookie header can hang the server process indefinitely. Node.js is single-threaded, so this blocks all request handling.
  • No authentication required: The attack only requires the ability to send HTTP requests with a crafted cookie header.
  • Minimal attacker effort: The payload is trivially small (Cookie: h3=__chunked__999999), making it easy to automate or repeat.
  • Wide attack surface: Any endpoint in the application that uses getSession(), useSession(), or clearSession() is vulnerable. Session usage is extremely common in web applications.
  • Amplification: The ratio of attacker input (27 bytes) to server work (billions of operations) is extreme.

Recommended Fix

Add a maximum chunk count constant and validate in getChunkedCookieCount():

const MAX_CHUNKED_COOKIE_COUNT = 100;

function getChunkedCookieCount(cookie: string | undefined): number {
  if (!cookie?.startsWith(CHUNKED_COOKIE)) {
    return Number.NaN;
  }
  const count = Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
  if (Number.isNaN(count) || count < 0 || count > MAX_CHUNKED_COOKIE_COUNT) {
    return Number.NaN;
  }
  return count;
}

This clamps the parsed count at a safe maximum. Since each chunk can hold ~4000 bytes and 100 chunks would allow ~400KB of cookie data (far beyond any practical limit), MAX_CHUNKED_COOKIE_COUNT = 100 is generous while eliminating the DoS vector.

Additionally, the callers should be updated to handle NaN safely. The cleanup loop in setChunkedCookie() already handles this correctly since NaN > chunkCount is false, so the loop won't execute. The deleteChunkedCookie() loop also handles it since NaN >= 0 is false.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "h3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.4"
            },
            {
              "fixed": "2.0.1-rc.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T21:44:55Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `setChunkedCookie()` and `deleteChunkedCookie()` functions in h3 trust the chunk count parsed from a user-controlled cookie value (`__chunked__N`) without any upper bound validation. An unauthenticated attacker can send a single request with a crafted cookie header (e.g., `Cookie: h3=__chunked__999999`) to any endpoint using sessions, causing the server to enter an O(n\u00b2) loop that hangs the process.\n\n## Details\n\nThe chunked cookie system stores large cookie values by splitting them into numbered chunks. The main cookie stores a sentinel value `__chunked__N` indicating how many chunks exist. When setting a new chunked cookie, the code cleans up any previous chunks that are no longer needed.\n\nThe vulnerability is in `getChunkedCookieCount()` at `src/utils/cookie.ts:244-249`:\n\n```typescript\nfunction getChunkedCookieCount(cookie: string | undefined): number {\n  if (!cookie?.startsWith(CHUNKED_COOKIE)) {\n    return Number.NaN;\n  }\n  return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));\n  // No upper bound check \u2014 attacker controls this value\n}\n```\n\nThis value is consumed without validation in the cleanup loop of `setChunkedCookie()` at `src/utils/cookie.ts:182-190`:\n\n```typescript\nconst previousCookie = getCookie(event, name); // reads from request headers\nif (previousCookie?.startsWith(CHUNKED_COOKIE)) {\n  const previousChunkCount = getChunkedCookieCount(previousCookie);\n  if (previousChunkCount \u003e chunkCount) {\n    for (let i = chunkCount; i \u003c= previousChunkCount; i++) {\n      deleteCookie(event, chunkCookieName(name, i), options);\n      // Each deleteCookie \u2192 setCookie \u2192 scans ALL existing set-cookie headers\n    }\n  }\n}\n```\n\nThe same issue exists in `deleteChunkedCookie()` at `src/utils/cookie.ts:227-232`:\n\n```typescript\nconst chunksCount = getChunkedCookieCount(mainCookie);\nif (chunksCount \u003e= 0) {\n  for (let i = 0; i \u003c chunksCount; i++) {\n    deleteCookie(event, chunkCookieName(name, i + 1), serializeOptions);\n  }\n}\n```\n\n**The exploit chain through sessions:**\n\n1. Attacker sends `Cookie: h3=__chunked__999999` to any session-using endpoint\n2. `getSession()` (`src/utils/session.ts:83`) calls `getChunkedCookie(event, \"h3\")` (line 124)\n3. `getChunkedCookie()` returns `undefined` \u2014 the early return at line 153 fires because no actual chunk cookies (e.g., `h3.1`) exist in the request\n4. Since `sealedSession` is undefined, `session.id` remains empty (line 140), triggering `updateSession()` (line 143)\n5. `updateSession()` calls `setChunkedCookie()` with the newly sealed session value (line 179)\n6. Inside `setChunkedCookie()`, `getCookie(event, name)` re-reads the original request cookie `__chunked__999999` at line 182\n7. `previousChunkCount` = 999999, `chunkCount` = 1 (new sealed session is small)\n8. The cleanup loop runs 999,998 iterations, each calling `deleteCookie()` \u2192 `setCookie()`\n9. Each `setCookie()` call reads ALL existing `set-cookie` response headers via `getSetCookie()` (line 91) and iterates through them for deduplication (lines 100-106)\n10. This creates O(n\u00b2) complexity \u2014 approximately 10\u00b9\u00b2 operations for n=999999\n\n**Key observation:** While `getChunkedCookie()` has an early-return optimization (line 153) that prevents it from looping on missing chunks, the cleanup loops in `setChunkedCookie()` and `deleteChunkedCookie()` have no such protection and run unconditionally for the full claimed chunk count.\n\n## PoC\n\n**Prerequisites:** An h3 application with any endpoint using `getSession()` or `useSession()`.\n\nExample minimal server:\n\n```typescript\nimport { H3 } from \"h3\";\nimport { getSession } from \"h3\";\n\nconst app = new H3();\n\napp.get(\"/dashboard\", async (event) =\u003e {\n  const session = await getSession(event, {\n    password: \"my-secret-password-at-least-32-chars-long!\",\n  });\n  return { user: session.data.user || \"anonymous\" };\n});\n\nexport default app;\n```\n\n**Attack (single request, no authentication):**\n\n```bash\n# This single request will hang the server process\ncurl -H \u0027Cookie: h3=__chunked__999999\u0027 http://localhost:3000/dashboard\n```\n\nFor a less extreme but still impactful test:\n\n```bash\n# ~100K iterations \u2014 will take several seconds and block all other requests\ncurl -H \u0027Cookie: h3=__chunked__100000\u0027 http://localhost:3000/dashboard\n```\n\nThe `deleteChunkedCookie()` path is exploitable via `clearSession()`:\n\n```typescript\napp.post(\"/logout\", async (event) =\u003e {\n  await clearSession(event, {\n    password: \"my-secret-password-at-least-32-chars-long!\",\n  });\n  return { ok: true };\n});\n```\n\n```bash\ncurl -X POST -H \u0027Cookie: h3=__chunked__999999\u0027 http://localhost:3000/logout\n```\n\n## Impact\n\n- **Complete Denial of Service**: A single unauthenticated request with a 27-byte cookie header can hang the server process indefinitely. Node.js is single-threaded, so this blocks all request handling.\n- **No authentication required**: The attack only requires the ability to send HTTP requests with a crafted cookie header.\n- **Minimal attacker effort**: The payload is trivially small (`Cookie: h3=__chunked__999999`), making it easy to automate or repeat.\n- **Wide attack surface**: Any endpoint in the application that uses `getSession()`, `useSession()`, or `clearSession()` is vulnerable. Session usage is extremely common in web applications.\n- **Amplification**: The ratio of attacker input (27 bytes) to server work (billions of operations) is extreme.\n\n## Recommended Fix\n\nAdd a maximum chunk count constant and validate in `getChunkedCookieCount()`:\n\n```typescript\nconst MAX_CHUNKED_COOKIE_COUNT = 100;\n\nfunction getChunkedCookieCount(cookie: string | undefined): number {\n  if (!cookie?.startsWith(CHUNKED_COOKIE)) {\n    return Number.NaN;\n  }\n  const count = Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));\n  if (Number.isNaN(count) || count \u003c 0 || count \u003e MAX_CHUNKED_COOKIE_COUNT) {\n    return Number.NaN;\n  }\n  return count;\n}\n```\n\nThis clamps the parsed count at a safe maximum. Since each chunk can hold ~4000 bytes and 100 chunks would allow ~400KB of cookie data (far beyond any practical limit), `MAX_CHUNKED_COOKIE_COUNT = 100` is generous while eliminating the DoS vector.\n\nAdditionally, the callers should be updated to handle `NaN` safely. The cleanup loop in `setChunkedCookie()` already handles this correctly since `NaN \u003e chunkCount` is false, so the loop won\u0027t execute. The `deleteChunkedCookie()` loop also handles it since `NaN \u003e= 0` is false.",
  "id": "GHSA-q5pr-72pq-83v3",
  "modified": "2026-03-23T21:49:19Z",
  "published": "2026-03-23T21:44:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-q5pr-72pq-83v3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/commit/399257cb406fbeda313d88c1e288a15124fc82af"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h3js/h3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service"
}

GHSA-Q5QX-CVHV-QFQ2

Vulnerability from github – Published: 2023-07-18 18:30 – Updated: 2024-04-04 06:13
VLAI
Details

The Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing.  The new ENIP connections cannot be established if impacted by this vulnerability,  which prohibits operational capabilities of the device resulting in a denial-of-service attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-18T16:15:11Z",
    "severity": "HIGH"
  },
  "details": "\nThe Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing. \u00a0The new ENIP connections cannot be established if impacted by this vulnerability, \u00a0which prohibits operational capabilities of the device resulting in a denial-of-service attack.\n\n\n",
  "id": "GHSA-q5qx-cvhv-qfq2",
  "modified": "2024-04-04T06:13:52Z",
  "published": "2023-07-18T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2263"
    },
    {
      "type": "WEB",
      "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q5R6-9QWQ-G2WJ

Vulnerability from github – Published: 2025-10-09 22:15 – Updated: 2025-10-09 22:15
VLAI
Summary
Amazon.IonDotnet is vulnerable to Denial of Service attacks
Details

Summary

Amazon.IonDotnet is a library for the Dotnet language that is used to read and write Amazon Ion data. An issue exists where, under certain circumstances, the library could an infinite loop, resulting in denial of service. As of August 20, 2025, this library has been deprecated and will not receive further updates.

Impact

An infinite loop issue in Amazon.IonDotnet library versions <v1.3.2 may allow a threat actor to cause a denial of service through a specially crafted text input. This invalid input triggered an error condition in the parser that was handled improperly, resulting in an infinite loop.

Impacted versions:

<1.3.2

Patches

This issue has been addressed in Amazon.IonDotnet version 1.3.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds

Only accept data from trusted sources, written using a supported Ion library.

References

If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Amazon.IonDotnet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-11573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1286",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-09T22:15:57Z",
    "nvd_published_at": "2025-10-09T18:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAmazon.IonDotnet is a library for the Dotnet language that is used to read and write Amazon Ion data. An issue exists where, under certain circumstances, the library could an infinite loop, resulting in denial of service. As of August 20, 2025, this library has been deprecated and will not receive further updates.\n\n### Impact\nAn infinite loop issue in Amazon.IonDotnet library versions \u003cv1.3.2 may allow a threat actor to cause a denial of service through a specially crafted text input. This invalid input triggered an error condition in the parser that was handled improperly, resulting in an infinite loop.\n\n### Impacted versions:\n\u003c1.3.2\n\n### Patches\nThis issue has been addressed in Amazon.IonDotnet version [1.3.2](https://www.nuget.org/packages/Amazon.IonDotnet/1.3.2). We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.\n\n### Workarounds\nOnly accept data from trusted sources, written using a supported Ion library.\n\n### References\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
  "id": "GHSA-q5r6-9qwq-g2wj",
  "modified": "2025-10-09T22:15:57Z",
  "published": "2025-10-09T22:15:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/amazon-ion/ion-dotnet/security/advisories/GHSA-q5r6-9qwq-g2wj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11573"
    },
    {
      "type": "WEB",
      "url": "https://github.com/amazon-ion/ion-dotnet/pull/160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/amazon-ion/ion-dotnet/commit/edaff75fe5abbb71e647bed812c608c0c5e2fbab"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/amazon-ion/ion-dotnet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/amazon-ion/ion-dotnet/releases/tag/v1.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Amazon.IonDotnet is vulnerable to Denial of Service attacks"
}

GHSA-Q5V7-7R3X-M7HG

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A Denial of Service (DoS) vulnerability exists in the file upload feature of imartinez/privategpt version v0.6.2. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this by sending a payload with an excessively large filename, causing the server to become overwhelmed and unavailable to legitimate users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:26Z",
    "severity": "HIGH"
  },
  "details": "A Denial of Service (DoS) vulnerability exists in the file upload feature of imartinez/privategpt version v0.6.2. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this by sending a payload with an excessively large filename, causing the server to become overwhelmed and unavailable to legitimate users.",
  "id": "GHSA-q5v7-7r3x-m7hg",
  "modified": "2025-03-20T12:32:42Z",
  "published": "2025-03-20T12:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12063"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/7db0091f-cb53-4cde-aad7-7ce491dfd8d9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q632-7V8J-586G

Vulnerability from github – Published: 2024-08-19 06:30 – Updated: 2024-08-28 15:31
VLAI
Details

ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases, this is an inconvenience but not a security issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-19T04:15:04Z",
    "severity": "CRITICAL"
  },
  "details": "ida64.dll in Hex-Rays IDA Pro through 8.4 crashes when there is a section that has many jumps linked, and the final jump corresponds to the payload from where the actual entry point will be invoked. NOTE: in many use cases, this is an inconvenience but not a security issue.",
  "id": "GHSA-q632-7v8j-586g",
  "modified": "2024-08-28T15:31:13Z",
  "published": "2024-08-19T06:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azvanzed/CVE-2024-44083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Azvanzed/IdaMeme"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q652-P9GF-VFQ3

Vulnerability from github – Published: 2023-06-08 03:30 – Updated: 2025-06-09 15:31
VLAI
Details

D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-404"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-08T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.",
  "id": "GHSA-q652-p9gf-vfq3",
  "modified": "2025-06-09T15:31:35Z",
  "published": "2023-06-08T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34969"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231208-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q663-QWPJ-9W6Q

Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35
VLAI
Details

API calls in the Translation API feature in Systran Pure Neural Server before 9.7.0 allow a threat actor to use the Systran Pure Neural Server as a Denial-of-Service proxy by sending a large amount of translation requests to a destination host on any given TCP port regardless of whether a web service is running on the destination port.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-08T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "API calls in the Translation API feature in Systran Pure Neural Server before 9.7.0 allow a threat actor to use the Systran Pure Neural Server as a Denial-of-Service proxy by sending a large amount of translation requests to a destination host on any given TCP port regardless of whether a web service is running on the destination port.",
  "id": "GHSA-q663-qwpj-9w6q",
  "modified": "2022-05-24T17:35:44Z",
  "published": "2022-05-24T17:35:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29540"
    },
    {
      "type": "WEB",
      "url": "https://grave-rose.medium.com/two-systran-vulnerabilities-and-their-exploits-8bc83ba29e14"
    },
    {
      "type": "WEB",
      "url": "https://www.systransoft.com/translation-products/systran-pure-neural-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.