Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5412 vulnerabilities reference this CWE, most recent first.

GHSA-RRJX-38J3-WX7P

Vulnerability from github – Published: 2023-04-05 21:30 – Updated: 2023-04-12 21:30
VLAI
Details

An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic.",
  "id": "GHSA-rrjx-38j3-wx7p",
  "modified": "2023-04-12T21:30:21Z",
  "published": "2023-04-05T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1071"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1071.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/385434"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRQH-93C8-J966

Vulnerability from github – Published: 2025-07-30 13:20 – Updated: 2025-11-03 21:34
VLAI
Summary
Ruby SAML DOS vulnerability with large SAML response
Details

Summary

A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.

Details

ruby-saml includes a message_max_bytesize setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:

https://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb

      def decode_raw_saml(saml, settings = nil)
        return saml unless base64_encoded?(saml) # <--- Issue here. Should be moved after next code block.

        settings = OneLogin::RubySaml::Settings.new if settings.nil?
        if saml.bytesize > settings.message_max_bytesize
          raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
        end

        decoded = decode(saml)
        ...
      end

The vulnerability is in the execution order. Prior to checking bytesize the base64_encoded? function performs regex matching on the entire input string:

!!string.gsub(/[\r\n]|\\r|\\n|\s/, "").match(BASE64_FORMAT)

Impact

What kind of vulnerability is it? Who is impacted?

When successfully exploited, this vulnerability can lead to:

  • Excessive memory consumption
  • High CPU utilization
  • Application slowdown or unresponsiveness
  • Complete application crash in severe cases
  • Potential denial of service for legitimate users

All applications using ruby-saml with SAML configured and enabled are vulnerable.

Potential Solution

Reorder the validation steps to ensure max bytesize is checked first

def decode_raw_saml(saml, settings = nil)
  settings = OneLogin::RubySaml::Settings.new if settings.nil?

  if saml.bytesize > settings.message_max_bytesize
    raise ValidationError.new("Encoded SAML Message exceeds " + settings.message_max_bytesize.to_s + " bytes, so was rejected")
  end

  return saml unless base64_encoded?(saml)
  decoded = decode(saml)
  ...
end
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-30T13:20:05Z",
    "nvd_published_at": "2025-07-30T14:15:29Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion.\n\n### Details\n`ruby-saml` includes a `message_max_bytesize` setting intended to prevent DOS attacks and decompression bombs. However, this protection is ineffective in some cases due to the order of operations in the code:\n\nhttps://github.com/SAML-Toolkits/ruby-saml/blob/fbbedc978300deb9355a8e505849666974ef2e67/lib/onelogin/ruby-saml/saml_message.rb\n\n```ruby\n      def decode_raw_saml(saml, settings = nil)\n        return saml unless base64_encoded?(saml) # \u003c--- Issue here. Should be moved after next code block.\n\n        settings = OneLogin::RubySaml::Settings.new if settings.nil?\n        if saml.bytesize \u003e settings.message_max_bytesize\n          raise ValidationError.new(\"Encoded SAML Message exceeds \" + settings.message_max_bytesize.to_s + \" bytes, so was rejected\")\n        end\n\n        decoded = decode(saml)\n        ...\n      end\n```\n\nThe vulnerability is in the execution order. Prior to checking bytesize the `base64_encoded?` function performs regex matching on the entire input string:\n\n```ruby\n!!string.gsub(/[\\r\\n]|\\\\r|\\\\n|\\s/, \"\").match(BASE64_FORMAT)\n```\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nWhen successfully exploited, this vulnerability can lead to:\n\n- Excessive memory consumption\n- High CPU utilization\n- Application slowdown or unresponsiveness\n- Complete application crash in severe cases\n- Potential denial of service for legitimate users\n\nAll applications using `ruby-saml` with SAML configured and enabled are vulnerable.\n\n### Potential Solution\n\nReorder the validation steps to ensure max bytesize is checked first\n\n```ruby\ndef decode_raw_saml(saml, settings = nil)\n  settings = OneLogin::RubySaml::Settings.new if settings.nil?\n\n  if saml.bytesize \u003e settings.message_max_bytesize\n    raise ValidationError.new(\"Encoded SAML Message exceeds \" + settings.message_max_bytesize.to_s + \" bytes, so was rejected\")\n  end\n  \n  return saml unless base64_encoded?(saml)\n  decoded = decode(saml)\n  ...\nend\n```",
  "id": "GHSA-rrqh-93c8-j966",
  "modified": "2025-11-03T21:34:17Z",
  "published": "2025-07-30T13:20:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/pull/770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/commit/38ef5dd1ce17514e202431f569c4f5633e6c2709"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SAML-Toolkits/ruby-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-54572.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ruby SAML DOS vulnerability with large SAML response"
}

GHSA-RRQV-QHMG-W4F2

Vulnerability from github – Published: 2022-02-12 00:01 – Updated: 2022-09-02 00:01
VLAI
Details

StarWind iSCSI SAN before 6.0 build 2013-03-20 allows a memory leak.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-20004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-06T21:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "StarWind iSCSI SAN before 6.0 build 2013-03-20 allows a memory leak.",
  "id": "GHSA-rrqv-qhmg-w4f2",
  "modified": "2022-09-02T00:01:11Z",
  "published": "2022-02-12T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-20004"
    },
    {
      "type": "WEB",
      "url": "https://www.starwindsoftware.com/security/sw-20130215-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRR4-C4R3-6Q77

Vulnerability from github – Published: 2026-04-15 00:31 – Updated: 2026-04-15 00:31
VLAI
Details

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-14T22:16:30Z",
    "severity": "LOW"
  },
  "details": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-rrr4-c4r3-6q77",
  "modified": "2026-04-15T00:31:34Z",
  "published": "2026-04-15T00:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27308"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RRRM-QJM4-V8HF

Vulnerability from github – Published: 2022-01-14 21:04 – Updated: 2022-01-14 19:56
VLAI
Summary
Inefficient Regular Expression Complexity in marked
Details

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

  • https://marked.js.org/using_advanced#workers
  • https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "marked"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-14T19:56:20Z",
    "nvd_published_at": "2022-01-14T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${\u0027 \u0027.repeat(1500)}x ${\u0027 \u0027.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n",
  "id": "GHSA-rrrm-qjm4-v8hf",
  "modified": "2022-01-14T19:56:20Z",
  "published": "2022-01-14T21:04:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21680"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markedjs/marked"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/releases/tag/v4.0.10"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in marked"
}

GHSA-RRW2-PX9J-QFFJ

Vulnerability from github – Published: 2025-09-05 20:58 – Updated: 2025-11-07 12:29
VLAI
Summary
FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side
Details

Impact

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed.

This could be used as a denial of service attack on an fs2-io powered server -- for example, by opening many connections and putting them in a half-shutdown state.

Note: this issue impacts ember backed http4s servers with HTTPS as a result of ember using fs2's TLS support.

Patches

Fixed in fs2 3.12.2 and 3.13.0-M7.

Workarounds

No workarounds.

For more information

If you have any questions or comments about this advisory:

Open an issue. Contact the Typelevel Security Team.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0-M1"
            },
            {
              "fixed": "3.13.0-M7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0-M1"
            },
            {
              "fixed": "3.13.0-M7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-M1"
            },
            {
              "fixed": "3.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.13.0-M1"
            },
            {
              "fixed": "3.13.0-M7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_0.26"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_0.27"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-M4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-RC1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12.0-RC2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.13"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13.0-M5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "co.fs2:fs2-io_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-05T20:58:23Z",
    "nvd_published_at": "2025-09-05T22:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen establishing a TLS session using `fs2-io` on the JVM using the `fs2.io.net.tls` package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed.\n\nThis could be used as a denial of service attack on an fs2-io powered server -- for example, by opening many connections and putting them in a half-shutdown state.\n\nNote: this issue impacts ember backed http4s servers with HTTPS as a result of ember using fs2\u0027s TLS support.\n\n### Patches\nFixed in fs2 3.12.2 and 3.13.0-M7.\n\n### Workarounds\nNo workarounds.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n[Open an issue.](https://github.com/typelevel/fs2/issues/new/choose)\nContact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).",
  "id": "GHSA-rrw2-px9j-qffj",
  "modified": "2025-11-07T12:29:27Z",
  "published": "2025-09-05T20:58:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/security/advisories/GHSA-rrw2-px9j-qffj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/issues/3590"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/pull/3624"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/commit/46e2dc3abf994dcf3d0b804b2ddb3c10c04d4976"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/commit/5c6c4c6c1ef330f7e6b53661ecc63d5f5ba8885c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/commit/edf0c4f2e660360d1c1a8c5377ce32294de89238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/typelevel/fs2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/releases/tag/v3.12.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/typelevel/fs2/releases/tag/v3.13.0-M7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side"
}

GHSA-RV57-79G9-2RPQ

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

A vulnerability in the 802.11r Fast Transition feature set of Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a corruption of certain timer mechanisms triggered by specific roaming events. This corruption will eventually cause a timer crash. An attacker could exploit this vulnerability by sending malicious reassociation events multiple times to the same AP in a short period of time, causing a DoS condition on the affected AP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-17T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the 802.11r Fast Transition feature set of Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a corruption of certain timer mechanisms triggered by specific roaming events. This corruption will eventually cause a timer crash. An attacker could exploit this vulnerability by sending malicious reassociation events multiple times to the same AP in a short period of time, causing a DoS condition on the affected AP.",
  "id": "GHSA-rv57-79g9-2rpq",
  "modified": "2022-05-13T01:35:09Z",
  "published": "2022-05-13T01:35:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0441"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-ap-ft-dos"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105680"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041918"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV6Q-435F-W46H

Vulnerability from github – Published: 2023-05-24 18:30 – Updated: 2024-04-04 04:19
VLAI
Details

Bramble Synchronisation Protocol (BSP) in Briar before 1.4.22 allows attackers to cause a denial of service (repeated application crashes) via a series of long messages to a contact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-24T18:15:10Z",
    "severity": "HIGH"
  },
  "details": "Bramble Synchronisation Protocol (BSP) in Briar before 1.4.22 allows attackers to cause a denial of service (repeated application crashes) via a series of long messages to a contact.",
  "id": "GHSA-rv6q-435f-w46h",
  "modified": "2024-04-04T04:19:46Z",
  "published": "2023-05-24T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33980"
    },
    {
      "type": "WEB",
      "url": "https://briarproject.org/news/2023-three-security-issues-found-and-fixed"
    },
    {
      "type": "WEB",
      "url": "https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_YuanmingSong.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV78-F8RC-XRXH

Vulnerability from github – Published: 2026-05-11 14:50 – Updated: 2026-05-11 14:50
VLAI
Summary
Facebook React has a Denial of Service Vulnerability in React Server Components
Details

Impact

A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to out-of-memory exceptions or excessive CPU usage.

We recommend updating immediately.

The vulnerability exists in versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5 of:

react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack

Patches

Fixes were back ported to versions 19.0.6, 19.1.7, and 19.2.6.

If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References See the blog post for more information and upgrade instructions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:50:07Z",
    "nvd_published_at": "2026-05-06T17:16:22Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nA denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to out-of-memory exceptions or excessive CPU usage.\n\nWe recommend updating immediately.\n\nThe vulnerability exists in versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5 of:\n\n[react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n[react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n[react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n## Patches\n\nFixes were back ported to versions 19.0.6, 19.1.7, and 19.2.6.\n\nIf you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app\u2019s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\nReferences\nSee the [blog post](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more information and upgrade instructions.",
  "id": "GHSA-rv78-f8rc-xrxh",
  "modified": "2026-05-11T14:50:07Z",
  "published": "2026-05-11T14:50:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-w94c-4vhp-22gx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23870"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/facebook/react"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Facebook React has a Denial of Service Vulnerability in React Server Components"
}

GHSA-RV83-RW8P-JWW8

Vulnerability from github – Published: 2026-04-20 06:31 – Updated: 2026-04-20 06:31
VLAI
Details

A vulnerability has been found in Lagom WHMCS Template up to 2.4.2. This impacts an unknown function of the component Datatables. The manipulation leads to resource consumption. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-20T04:16:56Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Lagom WHMCS Template up to 2.4.2. This impacts an unknown function of the component Datatables. The manipulation leads to resource consumption. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-rv83-rw8p-jww8",
  "modified": "2026-04-20T06:31:27Z",
  "published": "2026-04-20T06:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6601"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devsamuelsantiago/lagom-whmcs-dos-poc"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/791943"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/358236"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/358236/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.