CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5417 vulnerabilities reference this CWE, most recent first.
GHSA-VX34-R39M-W274
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.
{
"affected": [],
"aliases": [
"CVE-2011-1083"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-04-04T12:27:00Z",
"severity": "MODERATE"
},
"details": "The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.",
"id": "GHSA-vx34-r39m-w274",
"modified": "2022-05-13T01:23:50Z",
"published": "2022-05-13T01:23:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1083"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=681578"
},
{
"type": "WEB",
"url": "http://article.gmane.org/gmane.linux.kernel/1105744"
},
{
"type": "WEB",
"url": "http://article.gmane.org/gmane.linux.kernel/1105888"
},
{
"type": "WEB",
"url": "http://article.gmane.org/gmane.linux.kernel/1106686"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00021.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00013.html"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/02/1"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/03/02/2"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0862.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43522"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48115"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48410"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48898"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48964"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/71265"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VX3P-948G-6VHQ
Vulnerability from github – Published: 2021-03-19 21:24 – Updated: 2021-10-21 17:38npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ssri"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.2"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ssri"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ssri"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.0.0"
]
}
],
"aliases": [
"CVE-2021-27290"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-15T18:24:30Z",
"nvd_published_at": "2021-03-12T22:15:00Z",
"severity": "HIGH"
},
"details": "npm `ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.",
"id": "GHSA-vx3p-948g-6vhq",
"modified": "2021-10-21T17:38:11Z",
"published": "2021-03-19T21:24:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290"
},
{
"type": "WEB",
"url": "https://github.com/npm/ssri/pull/20#issuecomment-842677644"
},
{
"type": "WEB",
"url": "https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2"
},
{
"type": "WEB",
"url": "https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538"
},
{
"type": "WEB",
"url": "https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
},
{
"type": "WEB",
"url": "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/ssri"
},
{
"type": "WEB",
"url": "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf"
},
{
"type": "WEB",
"url": "https://npmjs.com"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/ssri"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service (ReDoS)"
}
GHSA-VX5G-JGX3-6MX9
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
{
"affected": [],
"aliases": [
"CVE-2021-22177"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.",
"id": "GHSA-vx5g-jgx3-6mx9",
"modified": "2022-05-24T17:46:03Z",
"published": "2022-05-24T17:46:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22177"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/953444"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22177.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/238988"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VX74-F528-FXQG
Vulnerability from github – Published: 2023-10-10 18:23 – Updated: 2023-10-10 18:23Impact
Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.
See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.
Patches
nghttp2 v1.57.0 mitigates this vulnerability by default.
Workarounds
If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.
References
The following commit mitigates this vulnerability:
- https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nghttp2/nghttp2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.57.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-10T18:23:21Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nRapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.\n\nSee https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.\n\n### Patches\n\nnghttp2 v1.57.0 mitigates this vulnerability by default.\n\n### Workarounds\n\nIf upgrading to nghttp2 v1.57.0 is not possible, implement `nghttp2_on_frame_recv_callback`, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call `nghttp2_submit_goaway` and gracefully terminate the connection.\n\n### References\n\nThe following commit mitigates this vulnerability:\n\n- https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832\n",
"id": "GHSA-vx74-f528-fxqg",
"modified": "2023-10-10T18:23:21Z",
"published": "2023-10-10T18:23:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg"
},
{
"type": "WEB",
"url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832"
},
{
"type": "PACKAGE",
"url": "https://github.com/nghttp2/nghttp2"
},
{
"type": "WEB",
"url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset"
}
GHSA-VX9F-9XJJ-7H22
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-06 21:31Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.
{
"affected": [],
"aliases": [
"CVE-2026-34473"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T19:16:36Z",
"severity": "HIGH"
},
"details": "Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router\u0027s web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.",
"id": "GHSA-vx9f-9xjj-7h22",
"modified": "2026-05-06T21:31:36Z",
"published": "2026-05-06T21:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34473"
},
{
"type": "WEB",
"url": "https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9"
},
{
"type": "WEB",
"url": "https://www.zte.com.cn/global"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VXCJ-679Q-R6Q8
Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-05-24 17:15VERSION NOT SUPPORTED WHEN ASSIGNED A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior.
{
"affected": [],
"aliases": [
"CVE-2020-7486"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-16T19:15:00Z",
"severity": "MODERATE"
},
"details": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior.",
"id": "GHSA-vxcj-679q-r6q8",
"modified": "2022-05-24T17:15:37Z",
"published": "2022-05-24T17:15:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7486"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-205-01"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SESB-2020-105-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VXF2-4MR7-6WV9
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:53The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2011-2393.
{
"affected": [],
"aliases": [
"CVE-2012-5363"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-20T15:15:00Z",
"severity": "HIGH"
},
"details": "The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2011-2393.",
"id": "GHSA-vxf2-4mr7-6wv9",
"modified": "2024-04-03T23:53:25Z",
"published": "2022-04-23T00:40:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5363"
},
{
"type": "WEB",
"url": "https://www.securityfocus.com/bid/56170/info"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/10/10/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VXH2-Q8H5-JJ8F
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Memory leak in IPv6Param::setAddress in CloudAvid PParam 1.3.1.
{
"affected": [],
"aliases": [
"CVE-2020-28723"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T17:15:00Z",
"severity": "HIGH"
},
"details": "Memory leak in IPv6Param::setAddress in CloudAvid PParam 1.3.1.",
"id": "GHSA-vxh2-q8h5-jj8f",
"modified": "2022-05-24T17:34:20Z",
"published": "2022-05-24T17:34:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28723"
},
{
"type": "WEB",
"url": "https://github.com/CloudAvid/PParam/issues/9"
},
{
"type": "WEB",
"url": "https://github.com/raminfp/fuzz-libpparam"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VXMV-7R5G-H75X
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33BranchCache Denial of Service Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38149"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:07Z",
"severity": "HIGH"
},
"details": "BranchCache Denial of Service Vulnerability",
"id": "GHSA-vxmv-7r5g-h75x",
"modified": "2024-10-08T18:33:14Z",
"published": "2024-10-08T18:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38149"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VXPW-J846-P89Q
Vulnerability from github – Published: 2026-06-19 14:22 – Updated: 2026-06-19 14:22Impact
The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.
Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.
All releases starting at undici 6.17.0 are affected.
Patches
Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.
Workarounds
No workaround is available. The fix must be applied through an upgrade.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.28.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "undici"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-12151"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T14:22:01Z",
"nvd_published_at": "2026-06-17T17:16:42Z",
"severity": "HIGH"
},
"details": "## Impact\n\nThe undici WebSocket client enforces `maxPayloadSize` on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (`new WebSocket(...)`) or the `WebSocketStream` API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\n## Patches\n\nUpgrade to undici v6.27.0, v7.28.0 or v8.5.0.\n\n## Workarounds\n\nNo workaround is available. The fix must be applied through an upgrade.",
"id": "GHSA-vxpw-j846-p89q",
"modified": "2026-06-19T14:22:01Z",
"published": "2026-06-19T14:22:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodejs/undici"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "undici WebSocket client vulnerable to denial of service via fragment count bypass"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.