CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-V75F-3G6X-5HR3
Vulnerability from github – Published: 2022-05-13 01:52 – Updated: 2022-05-13 01:52phpFreeChat 1.7 and earlier allows remote attackers to cause a denial of service by sending a large number of connect commands.
{
"affected": [],
"aliases": [
"CVE-2018-5954"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-25T16:29:00Z",
"severity": "HIGH"
},
"details": "phpFreeChat 1.7 and earlier allows remote attackers to cause a denial of service by sending a large number of connect commands.",
"id": "GHSA-v75f-3g6x-5hr3",
"modified": "2022-05-13T01:52:59Z",
"published": "2022-05-13T01:52:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5954"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43852"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/146037/PHPFreeChat-1.7-Denial-Of-Service.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7HC-87JC-QRRR
Vulnerability from github – Published: 2023-12-06 19:19 – Updated: 2023-12-06 19:19Impact
The eventing-github cluster-local server doesn't set ReadHeaderTimeout which could lead do a DDoS attack, where a large group of users send requests to the server causing the server to hang for long enough to deny it from being available to other users, also know as a Slowloris attack.
Patches
Fix in v1.12.1 and v1.11.3
Credits
The vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "knative.dev/eventing-github"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.39.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-06T19:19:35Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nThe eventing-github cluster-local server doesn\u0027t set `ReadHeaderTimeout`\u202c\u202d which could lead do a DDoS\u202c \u202dattack, where a large group of users send requests to the server causing the server to hang\u202c \u202dfor long enough to deny it from being available to other users, also know as a Slowloris\u202c \u202dattack.\n\n### Patches\n\nFix in `v1.12.1` and `v1.11.3`\n\n### Credits\n\nThe vulnerability was reported by Ada Logics during an ongoing security audit of Knative involving Ada Logics, the Knative maintainers, OSTIF and CNCF.\n",
"id": "GHSA-v7hc-87jc-qrrr",
"modified": "2023-12-06T19:19:35Z",
"published": "2023-12-06T19:19:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/knative-extensions/eventing-github/security/advisories/GHSA-v7hc-87jc-qrrr"
},
{
"type": "WEB",
"url": "https://github.com/knative-extensions/eventing-github/pull/442"
},
{
"type": "WEB",
"url": "https://github.com/knative-extensions/eventing-github/pull/446"
},
{
"type": "WEB",
"url": "https://github.com/knative-extensions/eventing-github/pull/447"
},
{
"type": "WEB",
"url": "https://github.com/knative-extensions/eventing-github/commit/ea5cb8b25fc3410dde45ce2eb95454e4cfe77c40"
},
{
"type": "PACKAGE",
"url": "https://github.com/knative-extensions/eventing-github"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations"
}
GHSA-V7Q3-5RQM-X7M9
Vulnerability from github – Published: 2024-05-30 20:53 – Updated: 2024-06-28 16:18Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of CVE-2023-46104. This link is maintained to preserve external references.
Original Description
With correct CVE version ranges for affected Apache Superset.
Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "apache-superset"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23952"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-03T16:17:47Z",
"nvd_published_at": "2024-02-14T12:15:47Z",
"severity": "MODERATE"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of CVE-2023-46104. This link is maintained to preserve external references.\n\n## Original Description\nWith correct CVE version ranges for affected Apache Superset.\n \nUncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. \u00a0\nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.\n\n",
"id": "GHSA-v7q3-5rqm-x7m9",
"modified": "2024-06-28T16:18:04Z",
"published": "2024-05-30T20:53:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23952"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/zc58zvm4414molqn2m4d4vkrbrsxdksx"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/14/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/14/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Apache Superset uncontrolled resource consumption",
"withdrawn": "2024-06-03T16:17:47Z"
}
GHSA-V7Q8-3XV9-3HV4
Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-10-15 15:30A path traversal vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410, allowing any user to delete other users' chat histories. This vulnerability can also be exploited to delete any files ending in .json on the target system, leading to a denial of service as users are unable to authenticate.
{
"affected": [],
"aliases": [
"CVE-2024-6090"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T19:15:19Z",
"severity": "HIGH"
},
"details": "A path traversal vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410, allowing any user to delete other users\u0027 chat histories. This vulnerability can also be exploited to delete any files ending in `.json` on the target system, leading to a denial of service as users are unable to authenticate.",
"id": "GHSA-v7q8-3xv9-3hv4",
"modified": "2025-10-15T15:30:20Z",
"published": "2024-06-27T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6090"
},
{
"type": "WEB",
"url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/526c615c437377ee9c71f866fd0f19011910f705"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/bd0f8f89-5c8a-4662-89aa-a6861d84cf4c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7V5-MXJ3-9QMP
Vulnerability from github – Published: 2024-01-29 18:31 – Updated: 2024-09-06 00:31Vba32 Antivirus v3.36.0 is vulnerable to a Denial of Service vulnerability by triggering the 0x2220A7 IOCTL code of the Vba32m64.sys driver.
{
"affected": [],
"aliases": [
"CVE-2024-23441"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-400",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-29T16:15:09Z",
"severity": "MODERATE"
},
"details": "Vba32 Antivirus v3.36.0 is vulnerable to a Denial of Service vulnerability by triggering the 0x2220A7 IOCTL code of the Vba32m64.sys driver.",
"id": "GHSA-v7v5-mxj3-9qmp",
"modified": "2024-09-06T00:31:19Z",
"published": "2024-01-29T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23441"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/rollins"
},
{
"type": "WEB",
"url": "https://www.anti-virus.by/vba32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7W3-W4C9-JC27
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command provides the number of mbufs that are currently in use and maximum number of mbufs that can be allocated on a platform: > show system buffers 2437/3143/5580 mbufs in use (current/cache/total) Once the device runs out of mbufs it will become inaccessible and a restart will be required. This issue only affects end devices, transit devices are not affected. Affected releases are Juniper Networks Junos OS with VPLS configured running: 12.1X46 versions prior to 12.1X46-D76; 12.3X48 versions prior to 12.3X48-D66, 12.3X48-D70; 14.1 versions prior to 14.1R9; 14.1X53 versions prior to 14.1X53-D47; 14.2 versions prior to 14.2R8; 15.1 versions prior to 15.1F2-S19, 15.1F6-S10, 15.1R4-S9, 15.1R5-S7, 15.1R6-S4, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D58 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471 on NFX; 15.1X53 versions prior to 15.1X53-D66 on QFX10; 16.1 versions prior to 16.1R3-S8, 16.1R4-S6, 16.1R5; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S6, 17.1R3; 17.2 versions prior to 17.2R1-S5, 17.2R2.
{
"affected": [],
"aliases": [
"CVE-2018-0022"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-11T19:29:00Z",
"severity": "HIGH"
},
"details": "A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command provides the number of mbufs that are currently in use and maximum number of mbufs that can be allocated on a platform: \u003e show system buffers 2437/3143/5580 mbufs in use (current/cache/total) Once the device runs out of mbufs it will become inaccessible and a restart will be required. This issue only affects end devices, transit devices are not affected. Affected releases are Juniper Networks Junos OS with VPLS configured running: 12.1X46 versions prior to 12.1X46-D76; 12.3X48 versions prior to 12.3X48-D66, 12.3X48-D70; 14.1 versions prior to 14.1R9; 14.1X53 versions prior to 14.1X53-D47; 14.2 versions prior to 14.2R8; 15.1 versions prior to 15.1F2-S19, 15.1F6-S10, 15.1R4-S9, 15.1R5-S7, 15.1R6-S4, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D58 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471 on NFX; 15.1X53 versions prior to 15.1X53-D66 on QFX10; 16.1 versions prior to 16.1R3-S8, 16.1R4-S6, 16.1R5; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S6, 17.1R3; 17.2 versions prior to 17.2R1-S5, 17.2R2.",
"id": "GHSA-v7w3-w4c9-jc27",
"modified": "2022-05-13T01:36:01Z",
"published": "2022-05-13T01:36:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0022"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10855"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103740"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7X8-WRHV-8RH2
Vulnerability from github – Published: 2024-05-05 21:30 – Updated: 2025-11-04 18:30An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-34506"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-05T19:15:07Z",
"severity": "HIGH"
},
"details": "An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service.",
"id": "GHSA-v7x8-wrhv-8rh2",
"modified": "2025-11-04T18:30:55Z",
"published": "2024-05-05T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34506"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FU2FGUXXK6TMV6R52VRECLC6XCSQQISY"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T357760"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7XM-5488-FRX3
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50wancms 1.0 through 5.0 allows remote attackers to cause a denial of service (resource consumption) via a checkcode (aka verification code) URI in which the values of font_size, width, and height are large numbers.
{
"affected": [],
"aliases": [
"CVE-2018-14596"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-25T04:29:00Z",
"severity": "HIGH"
},
"details": "wancms 1.0 through 5.0 allows remote attackers to cause a denial of service (resource consumption) via a checkcode (aka verification code) URI in which the values of font_size, width, and height are large numbers.",
"id": "GHSA-v7xm-5488-frx3",
"modified": "2022-05-13T01:50:00Z",
"published": "2022-05-13T01:50:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14596"
},
{
"type": "WEB",
"url": "https://github.com/HUILYUH/wancms/blob/master/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7XQ-3WX6-FQC2
Vulnerability from github – Published: 2026-04-14 00:03 – Updated: 2026-04-24 20:50Summary
The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.
Details
When Stripe webhooks are enabled, the Stripe webhook route is reachable without authentication. The handler only requires that a Stripe-Signature header be present, then buffers the entire request body in memory and only afterward attempts Stripe signature verification.
Because body buffering happens before signature validation, memory consumption is controlled by the attacker-supplied payload size even when the signature is invalid. Large requests or repeated requests can exhaust available memory and make the service unresponsive or crash.
This issue depends on Stripe webhooks being enabled. If an upstream proxy or load balancer already enforces a strict request-body limit smaller than the attacker payload, exploitability is reduced accordingly.
PoC
URL="http://127.0.0.1:4000/api/stripe/webhook"
PROC_NAME="monetr"
TOTAL_KIB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
python3 - <<'PY' | curl -s -o /dev/null \
--limit-rate 10m \
-H 'Stripe-Signature: t=1,v1=deadbeef' \
--data-binary @- \
"$URL" &
import sys
sys.stdout.buffer.write(b"A" * (256 * 1024 * 1024))
PY
REQ_PID=$!
while kill -0 "$REQ_PID" 2>/dev/null; do
ps -C "$PROC_NAME" -o rss=,%cpu= | awk -v total="$TOTAL_KIB" '
{
printf "%s mem=%.2fMiB / %.3fGiB cpu=%s%%\n", "'"$PROC_NAME"'", $1/1024, total/1024/1024, $2
}
'
sleep 1
done
wait "$REQ_PID"
# monetr mem rises substantially while processing the invalid webhook body before signature validation fails
Impact
- Type: Denial of service / uncontrolled resource consumption (CWE-400)
- Who is impacted: Internet-reachable monetr deployments that have both Stripe billing and Stripe webhooks enabled (Stripe.Enabled and Stripe.WebhooksEnabled). In practice this is the hosted/SaaS configuration. Self-hosted instances are very unlikely to be affected, because Stripe billing is opt-in, is not part of a typical self-hosted setup, and the webhook route short-circuits to 404 when it is not enabled; meaning the unbounded read is unreachable on a default self-hosted deployment.
- Security impact: A remote, unauthenticated attacker can cause the monetr server process to buffer attacker-controlled payloads into memory before any signature validation occurs. Sufficiently large or repeated requests can drive memory consumption high enough to make the API unresponsive or crash the process, denying service to all legitimate users of the affected instance — not just users of the billing surface.
- Attack preconditions: The attacker must be able to reach the /api/stripe/webhook endpoint over the network and the target instance must have Stripe webhooks enabled. No authentication, prior account, user interaction, or knowledge of the Stripe webhook secret is required. Exploitability is reduced (and may be effectively eliminated) on deployments where an upstream proxy or load balancer enforces a request-body size limit smaller than the attacker's payload.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.12.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/monetr/monetr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40481"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T00:03:36Z",
"nvd_published_at": "2026-04-17T23:16:12Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.\n\n### Details\n\nWhen Stripe webhooks are enabled, the Stripe webhook route is reachable without authentication. The handler only requires that a `Stripe-Signature` header be present, then buffers the entire request body in memory and only afterward attempts Stripe signature verification.\n\nBecause body buffering happens before signature validation, memory consumption is controlled by the attacker-supplied payload size even when the signature is invalid. Large requests or repeated requests can exhaust available memory and make the service unresponsive or crash.\n\nThis issue depends on Stripe webhooks being enabled. If an upstream proxy or load balancer already enforces a strict request-body limit smaller than the attacker payload, exploitability is reduced accordingly.\n\n### PoC\n\n```bash\nURL=\"http://127.0.0.1:4000/api/stripe/webhook\"\nPROC_NAME=\"monetr\"\nTOTAL_KIB=\"$(awk \u0027/MemTotal:/ {print $2}\u0027 /proc/meminfo)\"\n\npython3 - \u003c\u003c\u0027PY\u0027 | curl -s -o /dev/null \\\n --limit-rate 10m \\\n -H \u0027Stripe-Signature: t=1,v1=deadbeef\u0027 \\\n --data-binary @- \\\n \"$URL\" \u0026\nimport sys\nsys.stdout.buffer.write(b\"A\" * (256 * 1024 * 1024))\nPY\nREQ_PID=$!\n\nwhile kill -0 \"$REQ_PID\" 2\u003e/dev/null; do\n ps -C \"$PROC_NAME\" -o rss=,%cpu= | awk -v total=\"$TOTAL_KIB\" \u0027\n {\n printf \"%s mem=%.2fMiB / %.3fGiB cpu=%s%%\\n\", \"\u0027\"$PROC_NAME\"\u0027\", $1/1024, total/1024/1024, $2\n }\n \u0027\n sleep 1\ndone\n\nwait \"$REQ_PID\"\n# monetr mem rises substantially while processing the invalid webhook body before signature validation fails\n```\n\n### Impact\n\n- Type: Denial of service / uncontrolled resource consumption (CWE-400)\n- Who is impacted: Internet-reachable monetr deployments that have both Stripe billing and Stripe webhooks enabled\n (Stripe.Enabled and Stripe.WebhooksEnabled). In practice this is the hosted/SaaS configuration. Self-hosted instances\n are very unlikely to be affected, because Stripe billing is opt-in, is not part of a typical self-hosted setup, and\n the webhook route short-circuits to 404 when it is not enabled; meaning the unbounded read is unreachable on a default\n self-hosted deployment.\n- Security impact: A remote, unauthenticated attacker can cause the monetr server process to buffer attacker-controlled\n payloads into memory before any signature validation occurs. Sufficiently large or repeated requests can drive memory\n consumption high enough to make the API unresponsive or crash the process, denying service to all legitimate users of\n the affected instance \u2014 not just users of the billing surface.\n- Attack preconditions: The attacker must be able to reach the /api/stripe/webhook endpoint over the network and the\n target instance must have Stripe webhooks enabled. No authentication, prior account, user interaction, or knowledge of\n the Stripe webhook secret is required. Exploitability is reduced (and may be effectively eliminated) on deployments\n where an upstream proxy or load balancer enforces a request-body size limit smaller than the attacker\u0027s payload.",
"id": "GHSA-v7xq-3wx6-fqc2",
"modified": "2026-04-24T20:50:58Z",
"published": "2026-04-14T00:03:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/monetr/monetr/security/advisories/GHSA-v7xq-3wx6-fqc2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40481"
},
{
"type": "PACKAGE",
"url": "https://github.com/monetr/monetr"
},
{
"type": "WEB",
"url": "https://github.com/monetr/monetr/releases/tag/v1.12.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "In monetr, unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation"
}
GHSA-V829-X6HH-CQFQ
Vulnerability from github – Published: 2023-03-10 23:47 – Updated: 2023-03-10 23:47Summary
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a vulnerability in the fieldpath package from crossplane/crossplane-runtime that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplane.
Details
Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, that slice's size will be increased to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value.
Workaround
Users can restrict write privileges on Compositions to only admin users as a workaround.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/crossplane/crossplane"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/crossplane/crossplane"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/crossplane/crossplane"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27484"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-10T23:47:53Z",
"nvd_published_at": "2023-03-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nFuzz testing, by Ada Logics and sponsored by the CNCF, identified a [vulnerability](https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532) in the `fieldpath` package from `crossplane/crossplane-runtime` that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplane.\n\n### Details\n\nCompositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, that slice\u0027s size will be increased to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value.\n\n### Workaround\n\nUsers can restrict write privileges on Compositions to only admin users as a workaround.",
"id": "GHSA-v829-x6hh-cqfq",
"modified": "2023-03-10T23:47:53Z",
"published": "2023-03-10T23:47:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/crossplane/crossplane/security/advisories/GHSA-v829-x6hh-cqfq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27484"
},
{
"type": "PACKAGE",
"url": "https://github.com/crossplane/crossplane"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Crossplane-runtime contains Improper Input Validation via Compositions"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.