Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5424 vulnerabilities reference this CWE, most recent first.

GHSA-QH73-QC3P-RJV2

Vulnerability from github – Published: 2022-02-11 18:57 – Updated: 2022-02-23 22:11
VLAI
Summary
Uncaught Exception in fastify-multipart
Details

Impact

This is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136). By providing a name=constructor property it is still possible to crash the application. The original fix only checks for the key __proto__ (https://github.com/fastify/fastify-multipart/pull/116).

All users are recommended to upgrade

Patches

v5.3.1 includes a patch

Workarounds

No workarounds are possible.

References

Read up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/fastify/fastify-multipart * Email us at hello@matteocollina.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fastify-multipart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-11T18:57:53Z",
    "nvd_published_at": "2022-02-11T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis is a bypass of CVE-2020-8136 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8136).\nBy providing a `name=constructor` property it is still possible to crash the application.\nThe original fix only checks for the key `__proto__` (https://github.com/fastify/fastify-multipart/pull/116).\n\nAll users are recommended to upgrade\n\n### Patches\n\nv5.3.1 includes a patch\n \n### Workarounds\n\nNo workarounds are possible.\n\n### References\n\nRead up https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/fastify/fastify-multipart](https://github.com/fastify/fastify-multipart)\n* Email us at [hello@matteocollina.com](mailto:hello@matteocollina.com)\n",
  "id": "GHSA-qh73-qc3p-rjv2",
  "modified": "2022-02-23T22:11:16Z",
  "published": "2022-02-11T18:57:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/security/advisories/GHSA-qh73-qc3p-rjv2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/pull/116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/commit/a70dc7059a794589bd4fe066453141fc609e6066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fastify/fastify-multipart/releases/tag/v5.3.1"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-FASTIFYMULTIPART-2395480"
    },
    {
      "type": "WEB",
      "url": "https://www.fastify.io/docs/latest/Guides/Prototype-Poisoning"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncaught Exception in fastify-multipart"
}

GHSA-QH7Q-X454-PHCX

Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-13 21:31
VLAI
Details

An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T18:16:19Z",
    "severity": "MODERATE"
  },
  "details": "An authenticated user with high privileges may trigger a denial\u2011of\u2011service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation.\nThis issue affects Archer BE230 v1.2 \u003c 1.2.4 Build 20251218 rel.70420.",
  "id": "GHSA-qh7q-x454-phcx",
  "modified": "2026-02-13T21:31:33Z",
  "published": "2026-02-03T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22228"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware"
    },
    {
      "type": "WEB",
      "url": "https://www.tp-link.com/us/support/faq/4941"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QHHG-F5Q2-J9GJ

Vulnerability from github – Published: 2023-07-03 15:30 – Updated: 2024-04-04 05:20
VLAI
Details

AnyDesk 7.0.8 allows remote Denial of Service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-03T15:15:10Z",
    "severity": "HIGH"
  },
  "details": "AnyDesk 7.0.8 allows remote Denial of Service.",
  "id": "GHSA-qhhg-f5q2-j9gj",
  "modified": "2024-04-04T05:20:36Z",
  "published": "2023-07-03T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26509"
    },
    {
      "type": "WEB",
      "url": "https://anydesk.com/cve/2023-26509"
    },
    {
      "type": "WEB",
      "url": "https://anydesk.com/en/downloads/windows"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Fastor01/161211a8aef1278d942c551fd2065ca5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QHMP-H54X-38QR

Vulnerability from github – Published: 2021-09-20 20:57 – Updated: 2024-09-12 20:54
VLAI
Summary
Apprise vulnerable to regex injection with IFTTT Plugin
Details

Impact

Anyone publicly hosting the Apprise library and granting them access to the IFTTT notification service.

Patches

Update to Apprise v0.9.5.1 bash # Install Apprise v0.9.5.1 from PyPI pip install apprise==0.9.5.1

The patch to the problem was performed here.

Workarounds

Alternatively, if upgrading is not an option, you can safely remove the following file: - apprise/plugins/NotifyIFTTT.py

The above will eliminate the ability to use IFTTT, but everything else will work smoothly.

For more information

If you have any questions or comments about this advisory: * Open an issue in Apprise * Email me at lead2gold@gmail.com

Additional Credit

Github would not allow me to additionally credit Rasmus Petersen, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited

Additional Notes:

  • Github would not allow me to add/tag the 2 CWE's this issue is applicable to (only CWE-400). The other is: CWE-730 (placed in the title)
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.9.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "apprise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-39229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T20:30:36Z",
    "nvd_published_at": "2021-09-20T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAnyone _publicly_ hosting the Apprise library and granting them access to the IFTTT notification service.\n\n### Patches\nUpdate to Apprise v0.9.5.1\n   ```bash\n   # Install Apprise v0.9.5.1 from PyPI\n   pip install apprise==0.9.5.1\n   ```\n\nThe patch to the problem was performed [here](https://github.com/caronc/apprise/pull/436/files).\n\n### Workarounds\nAlternatively, if upgrading is not an option, you can safely remove the following file:\n- `apprise/plugins/NotifyIFTTT.py` \n\nThe above will eliminate the ability to use IFTTT, but everything else will work smoothly.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Apprise](https://github.com/caronc/apprise/issues)\n* Email me at [lead2gold@gmail.com](mailto:lead2gold@gmail.com)\n\n### Additional Credit\nGithub would not allow me to additionally credit **Rasmus Petersen**, but I would like to put that here at the very least - thank you for finding and reporting this issue along with those already credited\n\n## Additional Notes:\n- Github would not allow me to add/tag the 2 CWE\u0027s this issue is applicable to (only CWE-400).  The other is: CWE-730 (placed in the title)\n",
  "id": "GHSA-qhmp-h54x-38qr",
  "modified": "2024-09-12T20:54:36Z",
  "published": "2021-09-20T20:57:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/caronc/apprise/security/advisories/GHSA-qhmp-h54x-38qr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caronc/apprise/pull/436"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caronc/apprise/commit/e20fce630d55e4ca9b0a1e325a5fea6997489831"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/caronc/apprise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caronc/apprise/blob/0007eade20934ddef0aba38b8f1aad980cfff253/apprise/plugins/NotifyIFTTT.py#L356-L359"
    },
    {
      "type": "WEB",
      "url": "https://github.com/caronc/apprise/releases/tag/v0.9.5.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apprise/PYSEC-2021-327.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apprise vulnerable to regex injection with IFTTT Plugin"
}

GHSA-QHX6-HPFJ-8M4G

Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2026-03-03 15:31
VLAI
Details

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T18:16:04Z",
    "severity": "LOW"
  },
  "details": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues",
  "id": "GHSA-qhx6-hpfj-8m4g",
  "modified": "2026-03-03T15:31:35Z",
  "published": "2025-12-01T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/119342"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/119343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/568342cfc8f002d9a15f30238f26b9d2e0e79036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/5a8b19677d818fb41ee55f310233772e15aa1a2b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/694922cf40aa3a28f898b5f5ee08b71b4922df70"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/71fa8eb8233b37f16c88b6e3e583b461b205d1ba"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/b64441e4852383645af5b435411a6f849dd1b4cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/cefee7d118a26ef6cd43db59bb9d98ca9a331111"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/2X5IBCJXRQAZ5PSERLHMSJFBHFR3QM2C"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QHXF-2FW5-W33W

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions < V6.0 SP9 Update 2). Sending specially crafted packets to port 4410/tcp of an affected system could lead to extensive memory being consumed and as such could cause a denial-of-service preventing legitimate users from using the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-10T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Automation License Manager 5 (All versions), Automation License Manager 6 (All versions \u003c V6.0 SP9 Update 2). Sending specially crafted packets to port 4410/tcp of an affected system could lead to extensive memory being consumed and as such could cause a denial-of-service preventing legitimate users from using the system.",
  "id": "GHSA-qhxf-2fw5-w33w",
  "modified": "2022-05-24T19:10:37Z",
  "published": "2022-05-24T19:10:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25659"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-158827.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QJ2R-8848-46QG

Vulnerability from github – Published: 2023-04-11 21:31 – Updated: 2023-04-11 21:31
VLAI
Details

Microsoft Defender Denial of Service Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Defender Denial of Service Vulnerability",
  "id": "GHSA-qj2r-8848-46qg",
  "modified": "2023-04-11T21:31:02Z",
  "published": "2023-04-11T21:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24860"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24860"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ7C-F3XJ-JXPV

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2025-05-27 15:31
VLAI
Details

Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-407"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Knot Resolver before 5.5.3 allows remote attackers to cause a denial of service (CPU consumption) because of algorithmic complexity. During an attack, an authoritative server must return large NS sets or address sets.",
  "id": "GHSA-qj7c-f3xj-jxpv",
  "modified": "2025-05-27T15:31:17Z",
  "published": "2022-09-25T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40188"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1343#note_262558"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMDNIUI7GTUEKIBBYYW7OCTJQFPDNXL"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S2VE5K3VDUHJOIA2IGT3G5R76IBADMNE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XO6LIVQS62MI5GG4OVYB5RHVZMYNHAHG"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QJ7J-W6M6-7FGC

Vulnerability from github – Published: 2022-02-06 00:00 – Updated: 2022-02-26 00:01
VLAI
Details

A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service on ports 80 (HTTP) and 502 (Modbus), when sending a large number of TCP RST or FIN packets to any open TCP port of the PLC. Affected Product: Modicon M340 CPUs: BMXP34 (All Versions)",
  "id": "GHSA-qj7j-w6m6-7fgc",
  "modified": "2022-02-26T00:01:36Z",
  "published": "2022-02-06T00:00:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22724"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QJ83-CQ47-W5F8

Vulnerability from github – Published: 2026-04-08 15:51 – Updated: 2026-04-27 17:00
VLAI
Summary
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Details

Summary

Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.

Details

The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array.

Vulnerable Code:

while (i--) {
  if (entries[i][0] === session) {
    entries.splice(i, 1);
    if (len === 1) {
      delete this.sessions[authority];
      return;
    }
  }
}

Root Cause: After calling entries.splice(i, 1) to remove a session, the original code only returned early if len === 1. For arrays with multiple entries, the iteration continued after modifying the array, causing undefined behavior and potential crashes when accessing shifted array indices.

Fixed Code:

while (i--) {
  if (entries[i][0] === session) {
    if (len === 1) {
      delete this.sessions[authority];
    } else {
      entries.splice(i, 1);
    }
    return;
  }
}

The fix restructures the control flow to immediately return after removing a session, regardless of whether the array is being emptied or just having one element removed. This prevents continued iteration over a modified array and eliminates the state corruption vulnerability.

Affected Component: - lib/adapters/http.js - Http2Sessions class, session cleanup in connection close handler

PoC

  1. Set up a malicious HTTP/2 server that accepts multiple concurrent connections from an axios client
  2. Establish multiple concurrent HTTP/2 sessions with the axios client
  3. Close all sessions simultaneously with precise timing
  4. The flawed cleanup logic attempts to iterate over and modify the sessions array concurrently
  5. This causes the client to access invalid memory locations, resulting in a process crash

Prerequisites: - Client must use axios with HTTP/2 enabled - Client must connect to attacker-controlled HTTP/2 server - Multiple concurrent HTTP/2 sessions must be established - Server must close all sessions simultaneously with precise timing

Impact

Who is impacted: - Applications using axios with HTTP/2 enabled - Applications connecting to untrusted or attacker-controlled HTTP/2 servers - Node.js applications using axios for HTTP/2 requests

Impact Details: - Denial of Service: Malicious server can crash the axios client process by accepting and closing multiple concurrent HTTP/2 connections simultaneously - Availability Impact: Complete loss of availability for the client process through crash (though service may auto-restart) - Scope: Impact is limited to the single client process making the requests; does not escape to affect other components or systems - No Confidentiality or Integrity Impact: Vulnerability only causes process crash, no information disclosure or data modification

CVSS Score: 5.9 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE Classifications: - CWE-400: Uncontrolled Resource Consumption - CWE-662: Improper Synchronization

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T15:51:48Z",
    "nvd_published_at": "2026-04-08T15:16:16Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAxios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.\n\n### Details\n\nThe vulnerability exists in the `Http2Sessions.getSession()` method in `lib/adapters/http.js`. The session cleanup logic contains a control flow error when removing sessions from the sessions array.\n\n**Vulnerable Code:**\n```javascript\nwhile (i--) {\n  if (entries[i][0] === session) {\n    entries.splice(i, 1);\n    if (len === 1) {\n      delete this.sessions[authority];\n      return;\n    }\n  }\n}\n```\n\n**Root Cause:**\nAfter calling `entries.splice(i, 1)` to remove a session, the original code only returned early if `len === 1`. For arrays with multiple entries, the iteration continued after modifying the array, causing undefined behavior and potential crashes when accessing shifted array indices.\n\n**Fixed Code:**\n```javascript\nwhile (i--) {\n  if (entries[i][0] === session) {\n    if (len === 1) {\n      delete this.sessions[authority];\n    } else {\n      entries.splice(i, 1);\n    }\n    return;\n  }\n}\n```\n\nThe fix restructures the control flow to immediately return after removing a session, regardless of whether the array is being emptied or just having one element removed. This prevents continued iteration over a modified array and eliminates the state corruption vulnerability.\n\n**Affected Component:**\n- `lib/adapters/http.js` - Http2Sessions class, session cleanup in connection close handler\n\n### PoC\n\n1. Set up a malicious HTTP/2 server that accepts multiple concurrent connections from an axios client\n2. Establish multiple concurrent HTTP/2 sessions with the axios client\n3. Close all sessions simultaneously with precise timing\n4. The flawed cleanup logic attempts to iterate over and modify the sessions array concurrently\n5. This causes the client to access invalid memory locations, resulting in a process crash\n\n**Prerequisites:**\n- Client must use axios with HTTP/2 enabled\n- Client must connect to attacker-controlled HTTP/2 server\n- Multiple concurrent HTTP/2 sessions must be established\n- Server must close all sessions simultaneously with precise timing\n\n### Impact\n\n**Who is impacted:**\n- Applications using axios with HTTP/2 enabled\n- Applications connecting to untrusted or attacker-controlled HTTP/2 servers\n- Node.js applications using axios for HTTP/2 requests\n\n**Impact Details:**\n- **Denial of Service:** Malicious server can crash the axios client process by accepting and closing multiple concurrent HTTP/2 connections simultaneously\n- **Availability Impact:** Complete loss of availability for the client process through crash (though service may auto-restart)\n- **Scope:** Impact is limited to the single client process making the requests; does not escape to affect other components or systems\n- **No Confidentiality or Integrity Impact:** Vulnerability only causes process crash, no information disclosure or data modification\n\n**CVSS Score:** 5.9 (Medium)\n**CVSS Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n**CWE Classifications:**\n- CWE-400: Uncontrolled Resource Consumption\n- CWE-662: Improper Synchronization",
  "id": "GHSA-qj83-cq47-w5f8",
  "modified": "2026-04-27T17:00:15Z",
  "published": "2026-04-08T15:51:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-qj83-cq47-w5f8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/commit/0588880ac7ddba7594ef179930493884b7e90bf5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v1.13.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios HTTP/2 Session Cleanup State Corruption Vulnerability"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.