Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5417 vulnerabilities reference this CWE, most recent first.

GHSA-VX34-R39M-W274

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-04-04T12:27:00Z",
    "severity": "MODERATE"
  },
  "details": "The epoll implementation in the Linux kernel 2.6.37.2 and earlier does not properly traverse a tree of epoll file descriptors, which allows local users to cause a denial of service (CPU consumption) via a crafted application that makes epoll_create and epoll_ctl system calls.",
  "id": "GHSA-vx34-r39m-w274",
  "modified": "2022-05-13T01:23:50Z",
  "published": "2022-05-13T01:23:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1083"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=681578"
    },
    {
      "type": "WEB",
      "url": "http://article.gmane.org/gmane.linux.kernel/1105744"
    },
    {
      "type": "WEB",
      "url": "http://article.gmane.org/gmane.linux.kernel/1105888"
    },
    {
      "type": "WEB",
      "url": "http://article.gmane.org/gmane.linux.kernel/1106686"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/03/02/1"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2011/03/02/2"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-0862.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43522"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48115"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48410"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48898"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48964"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/71265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VX3P-948G-6VHQ

Vulnerability from github – Published: 2021-03-19 21:24 – Updated: 2021-10-21 17:38
VLAI
Summary
Regular Expression Denial of Service (ReDoS)
Details

npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ssri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.2"
            },
            {
              "fixed": "6.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ssri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ssri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "8.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-27290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-15T18:24:30Z",
    "nvd_published_at": "2021-03-12T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "npm `ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.",
  "id": "GHSA-vx3p-948g-6vhq",
  "modified": "2021-10-21T17:38:11Z",
  "published": "2021-03-19T21:24:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/ssri/pull/20#issuecomment-842677644"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
    },
    {
      "type": "WEB",
      "url": "https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/npm/ssri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf"
    },
    {
      "type": "WEB",
      "url": "https://npmjs.com"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/ssri"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDoS)"
}

GHSA-VX5G-JGX3-6MX9

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46
VLAI
Details

Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.",
  "id": "GHSA-vx5g-jgx3-6mx9",
  "modified": "2022-05-24T17:46:03Z",
  "published": "2022-05-24T17:46:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22177"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/953444"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22177.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/238988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VX74-F528-FXQG

Vulnerability from github – Published: 2023-10-10 18:23 – Updated: 2023-10-10 18:23
VLAI
Summary
github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset
Details

Impact

Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.

See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.

Patches

nghttp2 v1.57.0 mitigates this vulnerability by default.

Workarounds

If upgrading to nghttp2 v1.57.0 is not possible, implement nghttp2_on_frame_recv_callback, and check and count RST_STREAM frames. If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call nghttp2_submit_goaway and gracefully terminate the connection.

References

The following commit mitigates this vulnerability:

  • https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nghttp2/nghttp2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.57.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-10T18:23:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nRapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound cause denial of service.\n\nSee https://www.cve.org/CVERecord?id=CVE-2023-44487 for details.\n\n### Patches\n\nnghttp2 v1.57.0 mitigates this vulnerability by default.\n\n### Workarounds\n\nIf upgrading to nghttp2 v1.57.0 is not possible, implement `nghttp2_on_frame_recv_callback`, and check and count RST_STREAM frames.  If excessive number of RST_STREAM are received, then take action, such as dropping connection silently, or call `nghttp2_submit_goaway` and gracefully terminate the connection.\n\n### References\n\nThe following commit mitigates this vulnerability:\n\n- https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832\n",
  "id": "GHSA-vx74-f528-fxqg",
  "modified": "2023-10-10T18:23:21Z",
  "published": "2023-10-10T18:23:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nghttp2/nghttp2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "github.com/nghttp2/nghttp2 has HTTP/2 Rapid Reset"
}

GHSA-VX9F-9XJJ-7H22

Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-06 21:31
VLAI
Details

Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34473"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T19:16:36Z",
    "severity": "HIGH"
  },
  "details": "Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router\u0027s web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.",
  "id": "GHSA-vx9f-9xjj-7h22",
  "modified": "2026-05-06T21:31:36Z",
  "published": "2026-05-06T21:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34473"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9"
    },
    {
      "type": "WEB",
      "url": "https://www.zte.com.cn/global"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXCJ-679Q-R6Q8

Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-05-24 17:15
VLAI
Details

VERSION NOT SUPPORTED WHEN ASSIGNED A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-16T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "**VERSION NOT SUPPORTED WHEN ASSIGNED** A vulnerability could cause TCM modules to reset when under high network load in TCM v10.4.x and in system v10.3.x. This vulnerability was discovered and remediated in version v10.5.x on August 13, 2009. TCMs from v10.5.x and on will no longer exhibit this behavior.",
  "id": "GHSA-vxcj-679q-r6q8",
  "modified": "2022-05-24T17:15:37Z",
  "published": "2022-05-24T17:15:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7486"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-205-01"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SESB-2020-105-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VXF2-4MR7-6WV9

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:53
VLAI
Details

The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2011-2393.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-5363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-20T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2011-2393.",
  "id": "GHSA-vxf2-4mr7-6wv9",
  "modified": "2024-04-03T23:53:25Z",
  "published": "2022-04-23T00:40:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5363"
    },
    {
      "type": "WEB",
      "url": "https://www.securityfocus.com/bid/56170/info"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/10/10/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXH2-Q8H5-JJ8F

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Memory leak in IPv6Param::setAddress in CloudAvid PParam 1.3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-16T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Memory leak in IPv6Param::setAddress in CloudAvid PParam 1.3.1.",
  "id": "GHSA-vxh2-q8h5-jj8f",
  "modified": "2022-05-24T17:34:20Z",
  "published": "2022-05-24T17:34:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28723"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CloudAvid/PParam/issues/9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/raminfp/fuzz-libpparam"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VXMV-7R5G-H75X

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33
VLAI
Details

BranchCache Denial of Service Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-08T18:15:07Z",
    "severity": "HIGH"
  },
  "details": "BranchCache Denial of Service Vulnerability",
  "id": "GHSA-vxmv-7r5g-h75x",
  "modified": "2024-10-08T18:33:14Z",
  "published": "2024-10-08T18:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38149"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38149"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VXPW-J846-P89Q

Vulnerability from github – Published: 2026-06-19 14:22 – Updated: 2026-06-19 14:22
VLAI
Summary
undici WebSocket client vulnerable to denial of service via fragment count bypass
Details

Impact

The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

No workaround is available. The fix must be applied through an upgrade.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.28.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "undici"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-12151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T14:22:01Z",
    "nvd_published_at": "2026-06-17T17:16:42Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nThe undici WebSocket client enforces `maxPayloadSize` on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.\n\nAffected applications are those using the undici WebSocket client (`new WebSocket(...)`) or the `WebSocketStream` API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.\n\nAll releases starting at undici 6.17.0 are affected.\n\n## Patches\n\nUpgrade to undici v6.27.0, v7.28.0 or v8.5.0.\n\n## Workarounds\n\nNo workaround is available. The fix must be applied through an upgrade.",
  "id": "GHSA-vxpw-j846-p89q",
  "modified": "2026-06-19T14:22:01Z",
  "published": "2026-06-19T14:22:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12151"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodejs/undici"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "undici WebSocket client vulnerable to denial of service via fragment count bypass"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.