CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5424 vulnerabilities reference this CWE, most recent first.
GHSA-QH73-QC3P-RJV2
Vulnerability from github – Published: 2022-02-11 18:57 – Updated: 2022-02-23 22:11Impact
This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136).
By providing a name=constructor property it is still possible to crash the application.
The original fix only checks for the key __proto__ (https://github.com/fastify/fastify-multipart/pull/116).
All users are recommended to upgrade
Patches
v5.3.1 includes a patch
Workarounds
No workarounds are possible.
References
Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/fastify/fastify-multipart * Email us at hello@matteocollina.com
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fastify-multipart"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23597"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-11T18:57:53Z",
"nvd_published_at": "2022-02-11T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThis is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136).\nBy providing a `name=constructor` property it is still possible to crash the application.\nThe original fix only checks for the key `__proto__` (https://github.com/fastify/fastify-multipart/pull/116).\n\nAll users are recommended to upgrade\n\n### Patches\n\nv5.3.1 includes a patch\n \n### Workarounds\n\nNo workarounds are possible.\n\n### References\n\nRead up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/fastify/fastify-multipart](https://github.com/fastify/fastify-multipart)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n",
"id": "GHSA-qh73-qc3p-rjv2",
"modified": "2022-02-23T22:11:16Z",
"published": "2022-02-11T18:57:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23597"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-multipart/pull/116"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-multipart"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
},
{
"type": "WEB",
"url": "https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncaught Exception in fastify-multipart"
}
GHSA-QH7Q-X454-PHCX
Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-13 21:31An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.
{
"affected": [],
"aliases": [
"CVE-2026-22228"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T18:16:19Z",
"severity": "MODERATE"
},
"details": "An authenticated user with high privileges may trigger a denial\u2011of\u2011service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation.\nThis issue affects Archer BE230 v1.2 \u003c 1.2.4 Build 20251218 rel.70420.",
"id": "GHSA-qh7q-x454-phcx",
"modified": "2026-02-13T21:31:33Z",
"published": "2026-02-03T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22228"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/us/support/faq/4941"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QHHG-F5Q2-J9GJ
Vulnerability from github – Published: 2023-07-03 15:30 – Updated: 2024-04-04 05:20AnyDesk 7.0.8 allows remote Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2023-26509"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-03T15:15:10Z",
"severity": "HIGH"
},
"details": "AnyDesk 7.0.8 allows remote Denial of Service.",
"id": "GHSA-qhhg-f5q2-j9gj",
"modified": "2024-04-04T05:20:36Z",
"published": "2023-07-03T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26509"
},
{
"type": "WEB",
"url": "https://anydesk.com/cve/2023-26509"
},
{
"type": "WEB",
"url": "https://anydesk.com/en/downloads/windows"
},
{
"type": "WEB",
"url": "https://gist.github.com/Fastor01/161211a8aef1278d942c551fd2065ca5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QHMP-H54X-38QR
Vulnerability from github – Published: 2021-09-20 20:57 – Updated: 2024-09-12 20:54Impact
Anyone publicly hosting the Apprise library and granting them access to the IFTTT notification service.
Patches
Update to Apprise v0.9.5.1
bash
# Install Apprise v0.9.5.1 from PyPI
pip install apprise==0.9.5.1
The patch to the problem was performed here.
Workarounds
Alternatively, if upgrading is not an option, you can safely remove the following file:
- apprise/plugins/NotifyIFTTT.py
The above will eliminate the ability to use IFTTT, but everything else will work smoothly.
For more information
If you have any questions or comments about this advisory: * Open an issue in Apprise * Email me at lead2gold@gmail.com
Additional Credit
Github would not allow me to additionally credit Rasmus Petersen, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited
Additional Notes:
- Github would not allow me to add/tag the 2 CWE's this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.4"
},
"package": {
"ecosystem": "PyPI",
"name": "apprise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39229"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T20:30:36Z",
"nvd_published_at": "2021-09-20T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nAnyone _publicly_ hosting the Apprise library and granting them access to the IFTTT notification service.\n\n### Patches\nUpdate to Apprise v0.9.5.1\n ```bash\n # Install Apprise v0.9.5.1 from PyPI\n pip install apprise==0.9.5.1\n ```\n\nThe patch to the problem was performed [here](https://github.com/caronc/apprise/pull/436/files).\n\n### Workarounds\nAlternatively, if upgrading is not an option, you can safely remove the following file:\n- `apprise/plugins/NotifyIFTTT.py` \n\nThe above will eliminate the ability to use IFTTT, but everything else will work smoothly.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Apprise](https://github.com/caronc/apprise/issues)\n* Email me at [lead2gold@gmail.com](mailto:lead2gold@gmail.com)\n\n### Additional Credit\nGithub would not allow me to additionally credit **Rasmus Petersen**, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited\n\n## Additional Notes:\n- Github would not allow me to add/tag the 2 CWE\u0027s this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)\n",
"id": "GHSA-qhmp-h54x-38qr",
"modified": "2024-09-12T20:54:36Z",
"published": "2021-09-20T20:57:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caronc/apprise/security/advisories/GHSA-qhmp-h54x-38qr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39229"
},
{
"type": "WEB",
"url": "https://github.com/caronc/apprise/pull/436"
},
{
"type": "WEB",
"url": "https://github.com/caronc/apprise/commit/e20fce630d55e4ca9b0a1e325a5fea6997489831"
},
{
"type": "PACKAGE",
"url": "https://github.com/caronc/apprise"
},
{
"type": "WEB",
"url": "https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359"
},
{
"type": "WEB",
"url": "https://github.com/caronc/apprise/releases/tag/v0.9.5.1"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apprise/PYSEC-2021-327.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apprise vulnerable to regex injection with IFTTT Plugin"
}
GHSA-QHX6-HPFJ-8M4G
Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2026-03-03 15:31When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
{
"affected": [],
"aliases": [
"CVE-2025-13837"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-01T18:16:04Z",
"severity": "LOW"
},
"details": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues",
"id": "GHSA-qhx6-hpfj-8m4g",
"modified": "2026-03-03T15:31:35Z",
"published": "2025-12-01T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13837"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/119342"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/119343"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QHXF-2FW5-W33W
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0 SP9 Update 2). Sending specially crafted packets to port 4410/tcp of an affected system could lead to extensive memory being consumed and as such could cause a denial-of-service preventing legitimate users from using the system.
{
"affected": [],
"aliases": [
"CVE-2021-25659"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-10T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions \u003c V6.0 SP9 Update 2). Sending specially crafted packets to port 4410/tcp of an affected system could lead to extensive memory being consumed and as such could cause a denial-of-service preventing legitimate users from using the system.",
"id": "GHSA-qhxf-2fw5-w33w",
"modified": "2022-05-24T19:10:37Z",
"published": "2022-05-24T19:10:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25659"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-158827.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJ2R-8848-46QG
Vulnerability from github – Published: 2023-04-11 21:31 – Updated: 2023-04-11 21:31Microsoft Defender Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2023-24860"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T21:15:00Z",
"severity": "HIGH"
},
"details": "Microsoft Defender Denial of Service Vulnerability",
"id": "GHSA-qj2r-8848-46qg",
"modified": "2023-04-11T21:31:02Z",
"published": "2023-04-11T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24860"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJ7C-F3XJ-JXPV
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2025-05-27 15:31Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.
{
"affected": [],
"aliases": [
"CVE-2022-40188"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-407"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-23T16:15:00Z",
"severity": "HIGH"
},
"details": "Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.",
"id": "GHSA-qj7c-f3xj-jxpv",
"modified": "2025-05-27T15:31:17Z",
"published": "2022-09-25T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40188"
},
{
"type": "WEB",
"url": "https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJ7J-W6M6-7FGC
Vulnerability from github – Published: 2022-02-06 00:00 – Updated: 2022-02-26 00:01A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)
{
"affected": [],
"aliases": [
"CVE-2022-22724"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)",
"id": "GHSA-qj7j-w6m6-7fgc",
"modified": "2022-02-26T00:01:36Z",
"published": "2022-02-06T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22724"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QJ83-CQ47-W5F8
Vulnerability from github – Published: 2026-04-08 15:51 – Updated: 2026-04-27 17:00Summary
Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.
Details
The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array.
Vulnerable Code:
while (i--) {
if (entries[i][0] === session) {
entries.splice(i, 1);
if (len === 1) {
delete this.sessions[authority];
return;
}
}
}
Root Cause:
After calling entries.splice(i, 1) to remove a session, the original code only returned early if len === 1. For arrays with multiple entries, the iteration continued after modifying the array, causing undefined behavior and potential crashes when accessing shifted array indices.
Fixed Code:
while (i--) {
if (entries[i][0] === session) {
if (len === 1) {
delete this.sessions[authority];
} else {
entries.splice(i, 1);
}
return;
}
}
The fix restructures the control flow to immediately return after removing a session, regardless of whether the array is being emptied or just having one element removed. This prevents continued iteration over a modified array and eliminates the state corruption vulnerability.
Affected Component:
- lib/adapters/http.js - Http2Sessions class, session cleanup in connection close handler
PoC
- Set up a malicious HTTP/2 server that accepts multiple concurrent connections from an axios client
- Establish multiple concurrent HTTP/2 sessions with the axios client
- Close all sessions simultaneously with precise timing
- The flawed cleanup logic attempts to iterate over and modify the sessions array concurrently
- This causes the client to access invalid memory locations, resulting in a process crash
Prerequisites: - Client must use axios with HTTP/2 enabled - Client must connect to attacker-controlled HTTP/2 server - Multiple concurrent HTTP/2 sessions must be established - Server must close all sessions simultaneously with precise timing
Impact
Who is impacted: - Applications using axios with HTTP/2 enabled - Applications connecting to untrusted or attacker-controlled HTTP/2 servers - Node.js applications using axios for HTTP/2 requests
Impact Details: - Denial of Service: Malicious server can crash the axios client process by accepting and closing multiple concurrent HTTP/2 connections simultaneously - Availability Impact: Complete loss of availability for the client process through crash (though service may auto-restart) - Scope: Impact is limited to the single client process making the requests; does not escape to affect other components or systems - No Confidentiality or Integrity Impact: Vulnerability only causes process crash, no information disclosure or data modification
CVSS Score: 5.9 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE Classifications: - CWE-400: Uncontrolled Resource Consumption - CWE-662: Improper Synchronization
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39865"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T15:51:48Z",
"nvd_published_at": "2026-04-08T15:16:16Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAxios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.\n\n### Details\n\nThe vulnerability exists in the `Http2Sessions.getSession()` method in `lib/adapters/http.js`. The session cleanup logic contains a control flow error when removing sessions from the sessions array.\n\n**Vulnerable Code:**\n```javascript\nwhile (i--) {\n if (entries[i][0] === session) {\n entries.splice(i, 1);\n if (len === 1) {\n delete this.sessions[authority];\n return;\n }\n }\n}\n```\n\n**Root Cause:**\nAfter calling `entries.splice(i, 1)` to remove a session, the original code only returned early if `len === 1`. For arrays with multiple entries, the iteration continued after modifying the array, causing undefined behavior and potential crashes when accessing shifted array indices.\n\n**Fixed Code:**\n```javascript\nwhile (i--) {\n if (entries[i][0] === session) {\n if (len === 1) {\n delete this.sessions[authority];\n } else {\n entries.splice(i, 1);\n }\n return;\n }\n}\n```\n\nThe fix restructures the control flow to immediately return after removing a session, regardless of whether the array is being emptied or just having one element removed. This prevents continued iteration over a modified array and eliminates the state corruption vulnerability.\n\n**Affected Component:**\n- `lib/adapters/http.js` - Http2Sessions class, session cleanup in connection close handler\n\n### PoC\n\n1. Set up a malicious HTTP/2 server that accepts multiple concurrent connections from an axios client\n2. Establish multiple concurrent HTTP/2 sessions with the axios client\n3. Close all sessions simultaneously with precise timing\n4. The flawed cleanup logic attempts to iterate over and modify the sessions array concurrently\n5. This causes the client to access invalid memory locations, resulting in a process crash\n\n**Prerequisites:**\n- Client must use axios with HTTP/2 enabled\n- Client must connect to attacker-controlled HTTP/2 server\n- Multiple concurrent HTTP/2 sessions must be established\n- Server must close all sessions simultaneously with precise timing\n\n### Impact\n\n**Who is impacted:**\n- Applications using axios with HTTP/2 enabled\n- Applications connecting to untrusted or attacker-controlled HTTP/2 servers\n- Node.js applications using axios for HTTP/2 requests\n\n**Impact Details:**\n- **Denial of Service:** Malicious server can crash the axios client process by accepting and closing multiple concurrent HTTP/2 connections simultaneously\n- **Availability Impact:** Complete loss of availability for the client process through crash (though service may auto-restart)\n- **Scope:** Impact is limited to the single client process making the requests; does not escape to affect other components or systems\n- **No Confidentiality or Integrity Impact:** Vulnerability only causes process crash, no information disclosure or data modification\n\n**CVSS Score:** 5.9 (Medium)\n**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n**CWE Classifications:**\n- CWE-400: Uncontrolled Resource Consumption\n- CWE-662: Improper Synchronization",
"id": "GHSA-qj83-cq47-w5f8",
"modified": "2026-04-27T17:00:15Z",
"published": "2026-04-08T15:51:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39865"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v1.13.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Axios HTTP/2 Session Cleanup State Corruption Vulnerability"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.