Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5417 vulnerabilities reference this CWE, most recent first.

GHSA-RHR7-G23X-PQH9

Vulnerability from github – Published: 2026-04-30 15:30 – Updated: 2026-04-30 18:30
VLAI
Details

A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-36958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T15:16:22Z",
    "severity": "HIGH"
  },
  "details": "A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation.",
  "id": "GHSA-rhr7-g23x-pqh9",
  "modified": "2026-04-30T18:30:31Z",
  "published": "2026-04-30T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36958"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kirubel-cve/CVE-2026-36958"
    },
    {
      "type": "WEB",
      "url": "http://u-speed.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RHV4-8758-JX7V

Vulnerability from github – Published: 2026-05-12 15:09 – Updated: 2026-05-12 15:09
VLAI
Summary
Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS
Details

Summary decimal doesn't bound the exponent on parsed input, so something like "1e10000000" is parsed fine but then explodes the memory to more than 7GB if you run e.g. Decimal.add(Decimal.parse("1e10000000"), 1) because for positive exp, the function tail-recurses with coef * 10 and exp - 1 per iteration, growing the bignum coefficient by one digit each step. In the worst case, one request is enough to OOM the BEAM.

Details

Decimal.new/parse/cast happily store huge exponents. After that, a bunch of core paths allocate proportional to exp: - add/sub/div go through add_align, which calls pow10(exp1 - exp2) and builds a giant bignum (lib/decimal.ex:1734-1738, 1827). - to_string/2 with :normal (also :xsd and the String.Chars impl) does :lists.duplicate(exp, ?0) (lib/decimal.ex:1506, 1513). - to_integer/1 recurses coef * 10, exp - 1 once per unit of exp (lib/decimal.ex:1603-1605). - round/3 does the same :lists.duplicate trick on the exp difference (lib/decimal.ex:1850, 1874). - compare/3 with a threshold argument loops back into add/sub, so it's vulnerable too (lib/decimal.ex:331-332).

PoC

Any of these will hang or OOM the BEAM:

Decimal.add(Decimal.new("1"), Decimal.new("1e1000000000"))
Decimal.to_string(Decimal.new("1e1000000000"), :normal)
Decimal.to_integer(Decimal.new("1e1000000000"))
Decimal.round(Decimal.new("1e1000000000"))

Impact

Unauthenticated remote DoS. Anything that takes a user-supplied decimal (JSON, form field, Ecto :decimal field — basically everywhere) and then does arithmetic, rounding, to_integer, or to_string on it is exposed. One request can kill the node with a Out-of-Memory exception.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "decimal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-12T15:09:20Z",
    "nvd_published_at": "2026-05-07T15:16:05Z",
    "severity": "MODERATE"
  },
  "details": "Summary\n`decimal` doesn\u0027t bound the exponent on parsed input, so something like `\"1e10000000\"` is parsed fine but then explodes the memory to more than 7GB if you run e.g. `Decimal.add(Decimal.parse(\"1e10000000\"), 1)` because for positive `exp`, the function tail-recurses with `coef * 10` and `exp - 1` per iteration, growing the bignum coefficient by one digit each step. In the worst case, one request is enough to OOM the BEAM.\n\n### Details\n`Decimal.new/parse/cast` happily store huge exponents. After that, a bunch of core paths allocate proportional to `exp`:\n- `add/sub/div` go through `add_align`, which calls `pow10(exp1 - exp2)` and builds a giant bignum (lib/decimal.ex:1734-1738, 1827).\n- `to_string/2` with `:normal` (also `:xsd` and the `String.Chars` impl) does `:lists.duplicate(exp, ?0)` (lib/decimal.ex:1506, 1513).\n- `to_integer/1` recurses `coef * 10`, `exp - 1` once per unit of `exp` (lib/decimal.ex:1603-1605).\n- `round/3` does the same `:lists.duplicate` trick on the exp difference (lib/decimal.ex:1850, 1874).\n- `compare/3` with a threshold argument loops back into `add`/`sub`, so it\u0027s vulnerable too (lib/decimal.ex:331-332).\n\n### PoC\nAny of these will hang or OOM the BEAM:\n```elixir\nDecimal.add(Decimal.new(\"1\"), Decimal.new(\"1e1000000000\"))\nDecimal.to_string(Decimal.new(\"1e1000000000\"), :normal)\nDecimal.to_integer(Decimal.new(\"1e1000000000\"))\nDecimal.round(Decimal.new(\"1e1000000000\"))\n```\n\n### Impact\nUnauthenticated remote DoS. Anything that takes a user-supplied decimal (JSON, form field, Ecto `:decimal` field \u2014 basically everywhere) and then does arithmetic, rounding, `to_integer`, or `to_string` on it is exposed. One request can kill the node with a Out-of-Memory exception.",
  "id": "GHSA-rhv4-8758-jx7v",
  "modified": "2026-05-12T15:09:20Z",
  "published": "2026-05-12T15:09:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-32686.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericmj/decimal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericmj/decimal/releases/tag/v3.0.0"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-32686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Decimal: Unbounded exponent in `Decimal.new` enables unauthenticated DoS"
}

GHSA-RJ37-6J9X-74Q6

Vulnerability from github – Published: 2026-06-12 15:07 – Updated: 2026-06-12 15:07
VLAI
Summary
SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS
Details

Summary

The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting HTTPHeaders value before any application code runs. This can be used to exhaust memory, or — for consumers that subsequently convert headers into swift-http-types' HTTPFields — to crash the process.

Details

HTTPDecoder previously enforced only a single hardcoded parsing limit: 80 KB per individual header field (name + value). There was no cap on the cumulative size of the header block, nor on the number of header fields per message. Because each individual field can remain well below the 80 KB threshold, a peer can submit hundreds of thousands of valid headers in a single request, all of which are appended to the decoded HTTPHeaders without bound.

The headers are then visible to user code through the standard HTTPServerRequestPart.head / HTTPClientResponsePart.head events. Two observed downstream effects:

  • Hummingbird 2 (and other consumers that bridge HTTPHeaders into swift-http-types' HTTPFields) crashes via a precondition failure inside HTTPFields once the configured field count is exceeded.
  • Vapor 4 does not crash, but the per-request memory footprint scales linearly with the number of headers received, allowing a single connection to inflate server memory use substantially.

Impact

A single unauthenticated remote peer can trigger a denial of service against any HTTP/1 server (or, in the response direction, any HTTP/1 client) built on NIOHTTP1 — either by crashing the process, depending on the downstream framework, or by driving the process's resident memory to arbitrary sizes.

Patches

This issue is addressed in swift-nio 2.100.0 and later.

The HTTPDecoder now applies three parsing limits with conservative defaults, exposed through the new NIOHTTPDecoderLimitConfiguration type:

Limit Default
maxHeaderFieldSize 80 KB
maxHeaderListSize 2 MB
maxHeaderFieldCount 256

Exceeding any of these limits causes the decoder to fail with HTTPParserError.headerOverflow. The configuration can be supplied directly to HTTPRequestDecoder / HTTPResponseDecoder, or via the decoderConfiguration property on NIOUpgradableHTTPServerPipelineConfiguration and NIOUpgradableHTTPClientPipelineConfiguration.

Users who require larger limits — for example, applications that legitimately exchange very large header blocks — can opt into them explicitly by constructing a custom NIOHTTPDecoderLimitConfiguration.

Workarounds

Users unable to upgrade can mitigate by placing a reverse proxy in front of the service that enforces equivalent limits on request header count and total header size.

Credit

This issue was reported by @Joannis. SwiftNIO thanks @Joannis for the report and the support in landing the fix.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.99.0"
      },
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.100.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T15:07:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `HTTPDecoder` in `NIOHTTP1` enforces no limit on the total size of an HTTP/1 message\u0027s header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting `HTTPHeaders` value before any application code runs. This can be used to exhaust memory, or \u2014 for consumers that subsequently convert headers into `swift-http-types`\u0027 `HTTPFields` \u2014 to crash the process.\n\n### Details\n\n`HTTPDecoder` previously enforced only a single hardcoded parsing limit: 80 KB per individual header field (name + value). There was no cap on the cumulative size of the header block, nor on the number of header fields per message. Because each individual field can remain well below the 80 KB threshold, a peer can submit hundreds of thousands of valid headers in a single request, all of which are appended to the decoded `HTTPHeaders` without bound.\n\nThe headers are then visible to user code through the standard `HTTPServerRequestPart.head` / `HTTPClientResponsePart.head` events. Two observed downstream effects:\n\n  - **Hummingbird 2** (and other consumers that bridge `HTTPHeaders` into `swift-http-types`\u0027 `HTTPFields`) crashes via a precondition failure inside `HTTPFields` once the configured field count is exceeded.\n  - **Vapor 4** does not crash, but the per-request memory footprint scales linearly with the number of headers received, allowing a single connection to inflate server memory use substantially.\n  \n### Impact\n\nA single unauthenticated remote peer can trigger a denial of service against any HTTP/1 server (or, in the response direction, any HTTP/1 client) built on `NIOHTTP1` \u2014 either by crashing the process, depending on the downstream framework, or by driving the process\u0027s resident memory to arbitrary sizes.\n\n### Patches\n\nThis issue is addressed in `swift-nio` 2.100.0 and later.\n\nThe `HTTPDecoder` now applies three parsing limits with conservative defaults, exposed through the new `NIOHTTPDecoderLimitConfiguration` type:\n\n  | Limit | Default |\n  | --- | --- |\n  | `maxHeaderFieldSize` | 80 KB |\n  | `maxHeaderListSize` | 2 MB |\n  | `maxHeaderFieldCount` | 256 |\n\nExceeding any of these limits causes the decoder to fail with `HTTPParserError.headerOverflow`. The configuration can be supplied directly to `HTTPRequestDecoder` / `HTTPResponseDecoder`, or via the `decoderConfiguration` property on `NIOUpgradableHTTPServerPipelineConfiguration` and `NIOUpgradableHTTPClientPipelineConfiguration`.\n\nUsers who require larger limits \u2014 for example, applications that legitimately exchange very large header blocks \u2014 can opt into them explicitly by constructing a custom `NIOHTTPDecoderLimitConfiguration`.\n\n### Workarounds\n\nUsers unable to upgrade can mitigate by placing a reverse proxy in front of the service that enforces equivalent limits on request header count and total header size.\n\n### Credit\n\nThis issue was reported by @Joannis. SwiftNIO thanks @Joannis for the report and the support in landing the fix.",
  "id": "GHSA-rj37-6j9x-74q6",
  "modified": "2026-06-12T15:07:53Z",
  "published": "2026-06-12T15:07:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio/security/advisories/GHSA-rj37-6j9x-74q6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/swift-nio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SwiftNIO NIOHTTP1:  HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS"
}

GHSA-RJ4P-7MM6-GM9J

Vulnerability from github – Published: 2022-05-13 01:39 – Updated: 2022-11-08 12:35
VLAI
Summary
JBossWS vulnerable to uncontrolled recursion
Details

DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jboss.ws:jbossws-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-1483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T12:35:06Z",
    "nvd_published_at": "2013-07-29T13:59:00Z",
    "severity": "LOW"
  },
  "details": "DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.",
  "id": "GHSA-rj4p-7mm6-gm9j",
  "modified": "2022-11-08T12:35:06Z",
  "published": "2022-05-13T01:39:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1483"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=692584"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jbossws/jbossws-common"
    },
    {
      "type": "WEB",
      "url": "http://source.jboss.org/changelog/JBossWS/?cs=13996"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "JBossWS vulnerable to uncontrolled recursion"
}

GHSA-RJ5F-F43F-CFHC

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an "OOM dodging issue," a related issue to CVE-2010-3858.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-22T22:00:00Z",
    "severity": "MODERATE"
  },
  "details": "fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an \"OOM dodging issue,\" a related issue to CVE-2010-3858.",
  "id": "GHSA-rj5f-f43f-cfhc",
  "modified": "2022-05-13T01:23:49Z",
  "published": "2022-05-13T01:23:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4243"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=625688"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64700"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=3c77f845722158206a7209c45ccddc264d19319c"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3c77f845722158206a7209c45ccddc264d19319c"
    },
    {
      "type": "WEB",
      "url": "http://grsecurity.net/~spender/64bit_dos.c"
    },
    {
      "type": "WEB",
      "url": "http://linux.derkeiler.com/Mailing-Lists/Kernel/2010-11/msg13278.html"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/27/429"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/29/206"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/30/138"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/30/378"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/22/15"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2010/11/22/6"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42884"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/46397"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/15619"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0017.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/45004"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RJ8F-9P6V-299F

Vulnerability from github – Published: 2023-12-07 09:30 – Updated: 2023-12-09 06:30
VLAI
Details

A lack of rate limiting in pjActionAJaxSend in Time Slots Booking Calendar 4.0 allows attackers to cause resource exhaustion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-07T07:15:11Z",
    "severity": "HIGH"
  },
  "details": "A lack of rate limiting in pjActionAJaxSend in Time Slots Booking Calendar 4.0 allows attackers to cause resource exhaustion.",
  "id": "GHSA-rj8f-9p6v-299f",
  "modified": "2023-12-09T06:30:20Z",
  "published": "2023-12-07T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48833"
    },
    {
      "type": "WEB",
      "url": "https://www.phpjabbers.com/time-slots-booking-calendar"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/176042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJCF-2QPV-XPV2

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "On BIG-IP 14.1.0-14.1.2.6, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role.",
  "id": "GHSA-rjcf-2qpv-xpv2",
  "modified": "2022-05-24T17:36:07Z",
  "published": "2022-05-24T17:36:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5950"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K05204103"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K42696541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RJHC-R32R-CC5W

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-05-14 18:30
VLAI
Details

Uncontrolled resource consumption vulnerability in White Bear Solutions WBSAirback, version 21.02.04. This vulnerability could allow an attacker to send multiple command injection payloads to influence the amount of resources consumed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:42:16Z",
    "severity": "MODERATE"
  },
  "details": "Uncontrolled resource consumption vulnerability in White Bear Solutions WBSAirback, version 21.02.04. This vulnerability could allow an attacker to send multiple command injection payloads to influence the amount of resources consumed.",
  "id": "GHSA-rjhc-r32r-cc5w",
  "modified": "2024-05-14T18:30:52Z",
  "published": "2024-05-14T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3789"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-wbsairback-white-bear-solutions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RJQV-7FM6-FCWR

Vulnerability from github – Published: 2022-05-17 00:23 – Updated: 2025-04-20 03:47
VLAI
Details

The London Trust Media Private Internet Access (PIA) application before 1.3.3.1 for Android allows remote attackers to cause a denial of service (application crash) via a large VPN server-list file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-15882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-26T05:29:00Z",
    "severity": "HIGH"
  },
  "details": "The London Trust Media Private Internet Access (PIA) application before 1.3.3.1 for Android allows remote attackers to cause a denial of service (application crash) via a large VPN server-list file.",
  "id": "GHSA-rjqv-7fm6-fcwr",
  "modified": "2025-04-20T03:47:36Z",
  "published": "2022-05-17T00:23:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15882"
    },
    {
      "type": "WEB",
      "url": "https://wwws.nightwatchcybersecurity.com/2017/10/25/advisory-pia-android-app-cve-2017-15882"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RM59-992W-X2MV

Vulnerability from github – Published: 2026-03-26 19:50 – Updated: 2026-04-10 20:19
VLAI
Summary
OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
Details

Summary

Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected: < 2026.3.22
  • Fixed: >= 2026.3.22
  • Latest released tag checked: v2026.3.23-2 (630f1479c44f78484dfa21bb407cbe6f171dac87)
  • Latest published npm version checked: 2026.3.23-2

Fix Commit(s)

  • 651dc7450b68a5396a009db78ef9382633707ead

Release Status

The fix shipped in v2026.3.22 and remains present in v2026.3.23 and v2026.3.23-2.

Code-Level Confirmation

  • extensions/voice-call/src/webhook.ts now enforces header gating and shared pre-auth body caps before reading attacker-controlled request bodies.
  • extensions/voice-call/src/webhook.test.ts ships regression coverage for missing-signature, oversize, and timeout pre-auth webhook cases.

OpenClaw thanks @SEORY0 for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T19:50:41Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nVoice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected: \u003c 2026.3.22\n- Fixed: \u003e= 2026.3.22\n- Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`)\n- Latest published npm version checked: `2026.3.23-2`\n\n## Fix Commit(s)\n- `651dc7450b68a5396a009db78ef9382633707ead`\n\n## Release Status\nThe fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.\n\n## Code-Level Confirmation\n- extensions/voice-call/src/webhook.ts now enforces header gating and shared pre-auth body caps before reading attacker-controlled request bodies.\n- extensions/voice-call/src/webhook.test.ts ships regression coverage for missing-signature, oversize, and timeout pre-auth webhook cases.\n\nOpenClaw thanks @SEORY0 for reporting.",
  "id": "GHSA-rm59-992w-x2mv",
  "modified": "2026-04-10T20:19:04Z",
  "published": "2026-03-26T19:50:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35626"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.