CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5412 vulnerabilities reference this CWE, most recent first.
GHSA-X996-7QH9-7FF7
Vulnerability from github – Published: 2022-09-16 20:28 – Updated: 2022-10-10 17:04Impact
An attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose.
The ledger content will not be impacted by the attack, and the ledger will resume servicing valid client requests after the attack.
Mitigations
This attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network's expected users. The guidance previously provided enabled a low-cost DDoS attack.
The guidance to network operators for the use of firewall rules in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks.
The mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release.
Acknowledgements
Thank you to Mirko Mollik at TrustCerts.de for finding and responsibly disclosing this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "indy-node"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.12.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31006"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T20:28:39Z",
"nvd_published_at": "2022-09-09T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn attacker can max out the number of client connections allowed by the ledger that was deployed using guidance provided in the indy-node repository, leaving the ledger unable to be used for its intended purpose.\n\nThe ledger content will not be impacted by the attack, and the ledger will resume servicing valid client requests after the attack.\n\n### Mitigations\n\nThis attack exploits the trade-off between resilience and availability. Any protection against abusive client connections will also prevent the network being accessed by certain legitimate users. As a result, validator nodes must tune their firewall rules to ensure the right trade-off for their network\u0027s expected users. The guidance previously provided enabled a low-cost DDoS attack.\n\nThe [guidance to network operators for the use of firewall rules](https://github.com/hyperledger/indy-node/blob/main/docs/source/setup-iptables.md) in the deployment of Indy networks has been modified to better protect against denial of service attacks by increasing the cost and complexity in mounting such attacks.\n\nThe mitigation for this vulnerability is not in the Hyperledger Indy code per se, but rather in the individual deployments of Indy. The mitigations should be applied to all deployments of Indy, and are not related to a particular release.\n\n### Acknowledgements\n\nThank you to Mirko Mollik at [TrustCerts.de](https://trustcerts.de) for finding and responsibly disclosing this issue.",
"id": "GHSA-x996-7qh9-7ff7",
"modified": "2022-10-10T17:04:26Z",
"published": "2022-09-16T20:28:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hyperledger/indy-node/security/advisories/GHSA-x996-7qh9-7ff7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31006"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/indy-node/commit/53a2a1bf1a26cb8ba710fd6adc8bcf275186a4b3"
},
{
"type": "PACKAGE",
"url": "https://github.com/hyperledger/indy-node"
},
{
"type": "WEB",
"url": "https://github.com/hyperledger/indy-node/commits/v1.13.2-rc2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/indy-node/PYSEC-2022-270.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Hyperledger indy-node vulnerable to denial of service"
}
GHSA-X99C-5HJH-5P3R
Vulnerability from github – Published: 2022-05-14 01:39 – Updated: 2025-04-20 03:31The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet.
{
"affected": [],
"aliases": [
"CVE-2016-9310"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-13T16:59:00Z",
"severity": "MODERATE"
},
"details": "The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet.",
"id": "GHSA-x99c-5hjh-5p3r",
"modified": "2025-04-20T03:31:11Z",
"published": "2022-05-14T01:39:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9310"
},
{
"type": "WEB",
"url": "https://bto.bluecoat.com/security-advisory/sa139"
},
{
"type": "WEB",
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03706en_us"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.asc"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03799en_us"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3707-2"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/633847"
},
{
"type": "WEB",
"url": "http://nwtime.org/ntp428p9_release"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0252.html"
},
{
"type": "WEB",
"url": "http://support.ntp.org/bin/view/Main/NtpBug3118"
},
{
"type": "WEB",
"url": "http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94452"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-X9HF-JR2H-W47P
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32automatic1111/stable-diffusion-webui version 1.10.0 contains a vulnerability where the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary, leading to excessive resource consumption and a complete denial of service (DoS) for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue.
{
"affected": [],
"aliases": [
"CVE-2024-10935"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:21Z",
"severity": "HIGH"
},
"details": "automatic1111/stable-diffusion-webui version 1.10.0 contains a vulnerability where the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary, leading to excessive resource consumption and a complete denial of service (DoS) for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue.",
"id": "GHSA-x9hf-jr2h-w47p",
"modified": "2025-03-20T12:32:41Z",
"published": "2025-03-20T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10935"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e6fdc6ed-f38d-4798-b60a-0e47893a81a6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X9W7-F6X8-R9XH
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11User controlled request.getHeader("Referer"), request.getRequestURL() and request.getQueryString() are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.
{
"affected": [],
"aliases": [
"CVE-2021-33580"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-18T08:15:00Z",
"severity": "HIGH"
},
"details": "User controlled `request.getHeader(\"Referer\")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn\u0027t have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.",
"id": "GHSA-x9w7-f6x8-r9xh",
"modified": "2022-05-24T19:11:35Z",
"published": "2022-05-24T19:11:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33580"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9d967d80af941717573e531db2c7353a90bfd0886e9b5d5d79f75506%40%3Cuser.roller.apache.org%3E"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/08/18/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X9WG-93QJ-QHG4
Vulnerability from github – Published: 2022-12-26 03:30 – Updated: 2023-01-04 03:30OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.
{
"affected": [],
"aliases": [
"CVE-2022-37312"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T02:15:00Z",
"severity": "MODERATE"
},
"details": "OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.",
"id": "GHSA-x9wg-93qj-qhg4",
"modified": "2023-01-04T03:30:32Z",
"published": "2022-12-26T03:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37312"
},
{
"type": "WEB",
"url": "https://open-xchange.com"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Nov/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XC79-566C-J4QX
Vulnerability from github – Published: 2025-10-10 23:45 – Updated: 2025-10-23 20:34Impact
A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node.
In order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious GetBlockHeadersRequest message with a count of 0, using the Parallax protocol.
In descendants := chain.GetHeadersFrom(num+count-1, count-1), the value of count-1 is passed to the function GetHeadersFrom(number, count uint64) as parameter count. Due to integer overflow, UINT64_MAX value is then passed as the count argument to function GetHeadersFrom(number, count uint64). This allows an attacker to bypass maxHeadersServe and request all headers from the latest block back to the genesis block.
Patches
The fix has been included in the Parallax client version 0.1.4 and onwards.
The vulnerability was patched in: https://github.com/microstack-tech/parallax/commit/f759e9090aaf00a43c616d7cbd133c44bb1ed01e
Workarounds
No workarounds have been made public.
Credit
This issue was disclosed responsibly by DongHan Kim via the Ethereum bug bounty program, the cooperation is appreciated.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/microstack-tech/parallax"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-10T23:45:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nA vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node.\n\nIn order to carry out the attack, the attacker establishes a peer connections to the victim, and sends a malicious `GetBlockHeadersRequest` message with a `count` of `0`, using the `Parallax` protocol.\n\nIn `descendants := chain.GetHeadersFrom(num+count-1, count-1)`, the value of `count-1` is passed to the function `GetHeadersFrom(number, count uint64)` as parameter `count`. Due to integer overflow, `UINT64_MAX` value is then passed as the `count` argument to function `GetHeadersFrom(number, count uint64)`. This allows an attacker to bypass `maxHeadersServe` and request all headers from the latest block back to the genesis block.\n\n### Patches\n\nThe fix has been included in the Parallax client version `0.1.4` and onwards.\n\nThe vulnerability was patched in: https://github.com/microstack-tech/parallax/commit/f759e9090aaf00a43c616d7cbd133c44bb1ed01e\n\n### Workarounds\n\nNo workarounds have been made public.\n\n### Credit\n\nThis issue was disclosed responsibly by DongHan Kim via the Ethereum bug bounty program, the cooperation is appreciated.",
"id": "GHSA-xc79-566c-j4qx",
"modified": "2025-10-23T20:34:55Z",
"published": "2025-10-10T23:45:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/microstack-tech/parallax/security/advisories/GHSA-xc79-566c-j4qx"
},
{
"type": "WEB",
"url": "https://github.com/microstack-tech/parallax/commit/f759e9090aaf00a43c616d7cbd133c44bb1ed01e"
},
{
"type": "PACKAGE",
"url": "https://github.com/microstack-tech/parallax"
},
{
"type": "WEB",
"url": "https://github.com/microstack-tech/parallax/releases/tag/v0.1.4"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-4019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Parallax is vulnerable to DoS via malicious p2p message"
}
GHSA-XC82-5M89-G4JV
Vulnerability from github – Published: 2023-08-02 21:30 – Updated: 2023-11-25 12:30Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.
{
"affected": [],
"aliases": [
"CVE-2023-29409"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-02T20:15:11Z",
"severity": "MODERATE"
},
"details": "Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to \u003c= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.",
"id": "GHSA-xc82-5m89-g4jv",
"modified": "2023-11-25T12:30:22Z",
"published": "2023-08-02T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409"
},
{
"type": "WEB",
"url": "https://go.dev/cl/515257"
},
{
"type": "WEB",
"url": "https://go.dev/issue/61460"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1987"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202311-09"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230831-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XCF7-Q56X-78GH
Vulnerability from github – Published: 2021-07-26 21:23 – Updated: 2023-08-30 18:51The package github.com/pires/go-proxyproto before 0.6.1 is vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header. While this issue was patched in 0.6.0, the fix introduced additional issues which were subsequently patched in 0.6.1.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pires/go-proxyproto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23409"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-26T17:31:53Z",
"nvd_published_at": "2021-07-21T07:15:00Z",
"severity": "HIGH"
},
"details": "The package `github.com/pires/go-proxyproto` before 0.6.1 is vulnerable to Denial of Service (DoS) via creating connections without the proxy protocol header. While this issue was patched in 0.6.0, the fix introduced additional issues which were subsequently patched in 0.6.1.",
"id": "GHSA-xcf7-q56x-78gh",
"modified": "2023-08-30T18:51:53Z",
"published": "2021-07-26T21:23:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23409"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/issues/65"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/issues/75"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/pull/74"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/pull/74/commits/cdc63867da24fc609b727231f682670d0d1cd346"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/pull/76"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/commit/2e44d7a76a851d66890ab341403253afae5caac2"
},
{
"type": "PACKAGE",
"url": "https://github.com/pires/go-proxyproto"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/releases/tag/v0.6.0"
},
{
"type": "WEB",
"url": "https://github.com/pires/go-proxyproto/releases/tag/v0.6.1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0233"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1316439"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "github.com/pires/go-proxyproto vulnerable to DoS via Connection descriptor exhaustion"
}
GHSA-XCJP-MJ7M-5F57
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2023-03-03 15:30An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen's free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.
{
"affected": [],
"aliases": [
"CVE-2020-15565"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-07T13:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Xen through 4.13.x, allowing x86 Intel HVM guest OS users to cause a host OS denial of service or possibly gain privileges because of insufficient cache write-back under VT-d. When page tables are shared between IOMMU and CPU, changes to them require flushing of both TLBs. Furthermore, IOMMUs may be non-coherent, and hence prior to flushing IOMMU TLBs, a CPU cache also needs writing back to memory after changes were made. Such writing back of cached data was missing in particular when splitting large page mappings into smaller granularity ones. A malicious guest may be able to retain read/write DMA access to frames returned to Xen\u0027s free pool, and later reused for another purpose. Host crashes (leading to a Denial of Service) and privilege escalation cannot be ruled out. Xen versions from at least 3.2 onwards are affected. Only x86 Intel systems are affected. x86 AMD as well as Arm systems are not affected. Only x86 HVM guests using hardware assisted paging (HAP), having a passed through PCI device assigned, and having page table sharing enabled can leverage the vulnerability. Note that page table sharing will be enabled (by default) only if Xen considers IOMMU and CPU large page size support compatible.",
"id": "GHSA-xcjp-mj7m-5f57",
"modified": "2023-03-03T15:30:18Z",
"published": "2022-05-24T17:22:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15565"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202007-02"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4723"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/07/07/4"
},
{
"type": "WEB",
"url": "http://xenbits.xen.org/xsa/advisory-321.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XCPC-8H2W-3J85
Vulnerability from github – Published: 2026-07-10 18:32 – Updated: 2026-07-10 21:32adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.
{
"affected": [],
"aliases": [
"CVE-2026-39244"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T17:16:57Z",
"severity": "HIGH"
},
"details": "adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.",
"id": "GHSA-xcpc-8h2w-3j85",
"modified": "2026-07-10T21:32:28Z",
"published": "2026-07-10T18:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39244"
},
{
"type": "WEB",
"url": "https://github.com/cthackers/adm-zip/issues/568"
},
{
"type": "WEB",
"url": "https://github.com/cthackers/adm-zip"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/adm-zip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.