CWE-405
Allowed-with-ReviewAsymmetric Resource Consumption (Amplification)
Abstraction: Class · Status: Incomplete
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
85 vulnerabilities reference this CWE, most recent first.
CVE-2025-42873 (GCVE-0-2025-42873)
Vulnerability from cvelistv5 – Published: 2025-12-09 02:14 – Updated: 2025-12-09 16:40- CWE-405 - Asymmetric Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAPUI5 framework (Markdown-it component) |
Affected:
SAP_UI 755
Affected: 756 Affected: 757 Affected: 758 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42873",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T16:40:11.110637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:40:18.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAPUI5 framework (Markdown-it component)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SAP_UI 755"
},
{
"status": "affected",
"version": "756"
},
{
"status": "affected",
"version": "757"
},
{
"status": "affected",
"version": "758"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability.\u003c/p\u003e"
}
],
"value": "SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loop causes high CPU usage and system unresponsiveness due to a blocked processing thread. This vulnerability has no impact on confidentiality or integrity but has a high impact on system availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T02:14:07.094Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3676970"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Denial of Service (DoS) in SAPUI5 framework (Markdown-it component)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42873",
"datePublished": "2025-12-09T02:14:07.094Z",
"dateReserved": "2025-04-16T13:25:17.023Z",
"dateUpdated": "2025-12-09T16:40:18.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32394 (GCVE-0-2025-32394)
Vulnerability from cvelistv5 – Published: 2026-06-26 16:11 – Updated: 2026-06-27 02:39| URL | Tags |
|---|---|
| https://github.com/Significant-Gravitas/AutoGPT/s… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Significant-Gravitas | AutoGPT |
Affected:
< 0.6.32
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32394",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-27T02:39:16.861455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T02:39:52.345Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AutoGPT",
"vendor": "Significant-Gravitas",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.32, there is a DoS vulnerability in AITextSummarizerBlock. Malicious users can amplify their input. For example, if a malicious user inputs 10K of content, the server will consume 50G of memory, eventually causing memory resources to be exhausted, resulting in DoS. This vulnerability is fixed in 0.6.32."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:11:20.644Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-955p-gpfx-r66j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-955p-gpfx-r66j"
}
],
"source": {
"advisory": "GHSA-955p-gpfx-r66j",
"discovery": "UNKNOWN"
},
"title": "AutoGPT: There is a DoS vulnerability in AITextSummarizerBlock"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32394",
"datePublished": "2026-06-26T16:11:20.644Z",
"dateReserved": "2025-04-06T19:46:02.463Z",
"dateUpdated": "2026-06-27T02:39:52.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31987 (GCVE-0-2025-31987)
Vulnerability from cvelistv5 – Published: 2025-08-14 22:06 – Updated: 2025-08-15 12:58- CWE-405 - Asymmetric Resource Consumption
| Vendor | Product | Version | |
|---|---|---|---|
| HCL Software | Connections Docs |
Affected:
2.0.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-15T12:56:35.521176Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T12:58:03.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Connections Docs",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "2.0.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christoph St\u00f6ttner of Vegard IT GmbH"
}
],
"datePublic": "2025-08-14T22:06:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion.\u003cbr\u003e"
}
],
"value": "HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T22:21:47.363Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0123272"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL Connections Docs is vulnerable to a Denial of Service (DoS) attack",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2025-31987",
"datePublished": "2025-08-14T22:06:59.169Z",
"dateReserved": "2025-04-01T18:46:33.656Z",
"dateUpdated": "2025-08-15T12:58:03.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30204 (GCVE-0-2025-30204)
Vulnerability from cvelistv5 – Published: 2025-03-21 21:42 – Updated: 2025-04-10 13:03- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://github.com/golang-jwt/jwt/security/adviso… | x_refsource_CONFIRM |
| https://github.com/golang-jwt/jwt/commit/0951d184… | x_refsource_MISC |
| https://github.com/golang-jwt/jwt/commit/bf316c48… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2025040… |
| Vendor | Product | Version | |
|---|---|---|---|
| golang-jwt | jwt |
Affected:
>= 3.2.0, < 4.5.2
Affected: >= 5.0.0-rc.1, < 5.2.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T14:10:18.281694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T14:10:35.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-04T23:03:13.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20250404-0002/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jwt",
"vendor": "golang-jwt",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 4.5.2"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-rc.1, \u003c 5.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T13:03:19.897Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp"
},
{
"name": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3"
},
{
"name": "https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/golang-jwt/jwt/commit/bf316c48137a1212f8d0af9288cc9ce8e59f1afb"
}
],
"source": {
"advisory": "GHSA-mh63-6h87-95cp",
"discovery": "UNKNOWN"
},
"title": "jwt-go allows excessive memory allocation during header parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30204",
"datePublished": "2025-03-21T21:42:01.382Z",
"dateReserved": "2025-03-18T18:15:13.849Z",
"dateUpdated": "2025-04-10T13:03:19.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26516 (GCVE-0-2025-26516)
Vulnerability from cvelistv5 – Published: 2025-09-19 18:51 – Updated: 2025-09-19 19:06- CWE-405 - Asymmetric Resource Consumption (Amplification)
| Vendor | Product | Version | |
|---|---|---|---|
| NetApp | StorageGRID |
Affected:
0 , < 11.8.0.15
(custom)
Affected: 0 , < 11.9.0.8 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26516",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T19:06:15.932920Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T19:06:24.828Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StorageGRID",
"vendor": "NetApp",
"versions": [
{
"lessThan": "11.8.0.15",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "11.9.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eStorageGRID (formerly \nStorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are \nsusceptible to a Denial of Service vulnerability. Successful exploit \ncould allow an unauthenticated attacker to cause a Denial of Service on \nthe Admin node.\u003c/p\u003e\n\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "StorageGRID (formerly \nStorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are \nsusceptible to a Denial of Service vulnerability. Successful exploit \ncould allow an unauthenticated attacker to cause a Denial of Service on \nthe Admin node."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T18:51:12.609Z",
"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"shortName": "netapp"
},
"references": [
{
"url": "https://security.netapp.com/advisory/NTAP-20250910-0003"
}
],
"source": {
"advisory": "NTAP-20250910-0003",
"discovery": "UNKNOWN"
},
"title": "CVE-2025-26516 Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d",
"assignerShortName": "netapp",
"cveId": "CVE-2025-26516",
"datePublished": "2025-09-19T18:51:12.609Z",
"dateReserved": "2025-02-11T21:58:04.395Z",
"dateUpdated": "2025-09-19T19:06:24.828Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25186 (GCVE-0-2025-25186)
Vulnerability from cvelistv5 – Published: 2025-02-10 15:55 – Updated: 2025-02-12 15:46- CWE-400 - Uncontrolled Resource Consumption
- CWE-405 - Asymmetric Resource Consumption (Amplification)
- CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
- CWE-770 - Allocation of Resources Without Limits or Throttling
- CWE-789 - Memory Allocation with Excessive Size Value
- CWE-1287 - Improper Validation of Specified Type of Input
| URL | Tags |
|---|---|
| https://github.com/ruby/net-imap/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ruby/net-imap/commit/70e3ddd07… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/c8c5a6437… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/cb92191b1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25186",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T16:13:53.189390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:46:11.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "net-imap",
"vendor": "ruby",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.2, \u003c 0.3.8"
},
{
"status": "affected",
"version": "\u003e= 0.4.0, \u003c 0.4.19"
},
{
"status": "affected",
"version": "\u003e= 0.5.0, \u003c 0.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`\u0027s response parser. At any time while the client is connected, a malicious server can send can send highly compressed `uid-set` data which is automatically read by the client\u0027s receiver thread. The response parser uses `Range#to_a` to convert the `uid-set` data into arrays of integers, with no limitation on the expanded size of the ranges. Versions 0.3.8, 0.4.19, 0.5.6, and higher fix this issue. Additional details for proper configuration of fixed versions and backward compatibility are available in the GitHub Security Advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T15:55:56.666Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69"
},
{
"name": "https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35"
},
{
"name": "https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3"
},
{
"name": "https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/cb92191b1ddce2d978d01b56a0883b6ecf0b1022"
}
],
"source": {
"advisory": "GHSA-7fc5-f82f-cx69",
"discovery": "UNKNOWN"
},
"title": "Net::IMAP vulnerable to possible DoS by memory exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25186",
"datePublished": "2025-02-10T15:55:56.666Z",
"dateReserved": "2025-02-03T19:30:53.399Z",
"dateUpdated": "2025-02-12T15:46:11.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24356 (GCVE-0-2025-24356)
Vulnerability from cvelistv5 – Published: 2025-01-27 17:31 – Updated: 2025-01-28 15:39- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://github.com/neocturne/fastd/security/advis… | x_refsource_CONFIRM |
| https://github.com/neocturne/fastd/commit/1f233be… | x_refsource_MISC |
| https://github.com/neocturne/fastd/commit/3940150… | x_refsource_MISC |
| https://github.com/neocturne/fastd/commit/5f63fcf… | x_refsource_MISC |
| https://github.com/neocturne/fastd/commit/9df7e51… | x_refsource_MISC |
| https://github.com/neocturne/fastd/commit/c1a07b3… | x_refsource_MISC |
| https://github.com/neocturne/fastd/commit/ce1b79b… | x_refsource_MISC |
| https://github.com/neocturne/fastd/commit/d03a0a1… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24356",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T15:38:54.975943Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T15:39:06.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fastd",
"vendor": "neocturne",
"versions": [
{
"status": "affected",
"version": "\u003c 23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fastd is a VPN daemon which tunnels IP packets and Ethernet frames over UDP. When receiving a data packet from an unknown IP address/port combination, fastd will assume that one of its connected peers has moved to a new address and initiate a reconnect by sending a handshake packet. This \"fast reconnect\" avoids having to wait for a session timeout (up to ~90s) until a new connection is established. Even a 1-byte UDP packet just containing the fastd packet type header can trigger a much larger handshake packet (~150 bytes of UDP payload). Including IPv4 and UDP headers, the resulting amplification factor is roughly 12-13. By sending data packets with a spoofed source address to fastd instances reachable on the internet, this amplification of UDP traffic might be used to facilitate a Distributed Denial of Service attack. This vulnerability is fixed in v23."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T17:31:38.541Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/neocturne/fastd/security/advisories/GHSA-pggg-vpfv-4rcv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/neocturne/fastd/security/advisories/GHSA-pggg-vpfv-4rcv"
},
{
"name": "https://github.com/neocturne/fastd/commit/1f233bee76b722c0b3f9024f2c39c72e9f7e5843",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/1f233bee76b722c0b3f9024f2c39c72e9f7e5843"
},
{
"name": "https://github.com/neocturne/fastd/commit/3940150e801d0c91460491bec32cbcc5bbc89d5f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/3940150e801d0c91460491bec32cbcc5bbc89d5f"
},
{
"name": "https://github.com/neocturne/fastd/commit/5f63fcfc18ae9cad023fa463b152d5e14192b5a8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/5f63fcfc18ae9cad023fa463b152d5e14192b5a8"
},
{
"name": "https://github.com/neocturne/fastd/commit/9df7e516378441d2d17b89f9db5c27c8312d8f12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/9df7e516378441d2d17b89f9db5c27c8312d8f12"
},
{
"name": "https://github.com/neocturne/fastd/commit/c1a07b3f2b9066c3713c68547da700b85d60f4f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/c1a07b3f2b9066c3713c68547da700b85d60f4f7"
},
{
"name": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/ce1b79b12dbfa796743b5f3a50789ade965b7023"
},
{
"name": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neocturne/fastd/commit/d03a0a17347efb5293e42fde7d982781e90f14ef"
}
],
"source": {
"advisory": "GHSA-pggg-vpfv-4rcv",
"discovery": "UNKNOWN"
},
"title": "UDP traffic amplification via fastd\u0027s fast reconnect feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24356",
"datePublished": "2025-01-27T17:31:38.541Z",
"dateReserved": "2025-01-20T15:18:26.988Z",
"dateUpdated": "2025-01-28T15:39:06.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8677 (GCVE-0-2025-8677)
Vulnerability from cvelistv5 – Published: 2025-10-22 15:43 – Updated: 2025-11-04 21:15- CWE-405 - Asymmetric Resource Consumption (Amplification)
| URL | Tags |
|---|---|
| https://kb.isc.org/docs/cve-2025-8677 | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2025/10/22/1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T17:29:14.290863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T17:29:39.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:15:09.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/10/22/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BIND 9",
"vendor": "ISC",
"versions": [
{
"lessThanOrEqual": "9.18.39",
"status": "affected",
"version": "9.18.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.20.13",
"status": "affected",
"version": "9.20.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.21.12",
"status": "affected",
"version": "9.21.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.18.39-S1",
"status": "affected",
"version": "9.18.11-S1",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.20.13-S1",
"status": "affected",
"version": "9.20.9-S1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security and Privacy Laboratory at Nankai University for bringing this vulnerability to our attention."
}
],
"datePublic": "2025-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.\nThis issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."
}
],
"exploits": [
{
"lang": "en",
"value": "We are not aware of any active exploits."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker could overwhelm the server, significantly impacting performance and leading to denial of service for legitimate clients."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T15:43:10.369Z",
"orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"shortName": "isc"
},
"references": [
{
"name": "CVE-2025-8677",
"tags": [
"vendor-advisory"
],
"url": "https://kb.isc.org/docs/cve-2025-8677"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.41, 9.20.15, 9.21.14, 9.18.41-S1, or 9.20.15-S1."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Resource exhaustion via malformed DNSKEY handling",
"workarounds": [
{
"lang": "en",
"value": "No workarounds known."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
"assignerShortName": "isc",
"cveId": "CVE-2025-8677",
"datePublished": "2025-10-22T15:43:10.369Z",
"dateReserved": "2025-08-06T17:32:34.755Z",
"dateUpdated": "2025-11-04T21:15:09.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56200 (GCVE-0-2024-56200)
Vulnerability from cvelistv5 – Published: 2024-12-19 18:43 – Updated: 2024-12-20 20:03| URL | Tags |
|---|---|
| https://github.com/nexryai/altair/security/adviso… | x_refsource_CONFIRM |
| https://github.com/misskey-dev/misskey/security/a… | x_refsource_MISC |
| https://github.com/nexryai/altair/commit/20bad515… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T20:03:37.413091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:03:46.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "altair",
"vendor": "nexryai",
"versions": [
{
"status": "affected",
"version": "\u003c v12.24Q4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image proxy for compressing and resizing remote files could allow attacks that could affect availability, such as by abnormally increasing the CPU usage of the server on which this software is running or placing a heavy load on the network it is using. This issue has been fixed in v12.24Q4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T18:43:06.397Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nexryai/altair/security/advisories/GHSA-3pfm-hp96-pfgv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nexryai/altair/security/advisories/GHSA-3pfm-hp96-pfgv"
},
{
"name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v23600",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-gq5q-c77c-v23600"
},
{
"name": "https://github.com/nexryai/altair/commit/20bad5155a8d73f8d807c6c1ae0f7b8041331be8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nexryai/altair/commit/20bad5155a8d73f8d807c6c1ae0f7b8041331be8"
}
],
"source": {
"advisory": "GHSA-3pfm-hp96-pfgv",
"discovery": "UNKNOWN"
},
"title": "Uncontrolled Recursion and Asymmetric Resource Consumption in Altair media/file proxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56200",
"datePublished": "2024-12-19T18:43:06.397Z",
"dateReserved": "2024-12-18T18:29:25.896Z",
"dateUpdated": "2024-12-20T20:03:46.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55628 (GCVE-0-2024-55628)
Vulnerability from cvelistv5 – Published: 2025-01-06 18:02 – Updated: 2025-01-06 19:14| URL | Tags |
|---|---|
| https://github.com/OISF/suricata/security/advisor… | x_refsource_CONFIRM |
| https://github.com/OISF/suricata/commit/19cf0f813… | x_refsource_MISC |
| https://github.com/OISF/suricata/commit/37f4c52b2… | x_refsource_MISC |
| https://github.com/OISF/suricata/commit/3a5671739… | x_refsource_MISC |
| https://redmine.openinfosecfoundation.org/issues/7280 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:14:22.117040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:14:33.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "suricata",
"vendor": "OISF",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-779",
"description": "CWE-779: Logging of Excessive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T18:02:10.692Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OISF/suricata/security/advisories/GHSA-96w4-jqwf-qx2j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OISF/suricata/security/advisories/GHSA-96w4-jqwf-qx2j"
},
{
"name": "https://github.com/OISF/suricata/commit/19cf0f81335d9f787d587450f7105ad95a648951",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/19cf0f81335d9f787d587450f7105ad95a648951"
},
{
"name": "https://github.com/OISF/suricata/commit/37f4c52b22fcdde4adf9b479cb5700f89d00768d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/37f4c52b22fcdde4adf9b479cb5700f89d00768d"
},
{
"name": "https://github.com/OISF/suricata/commit/3a5671739f5b25e5dd973a74ca5fd8ea40e1ae2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OISF/suricata/commit/3a5671739f5b25e5dd973a74ca5fd8ea40e1ae2d"
},
{
"name": "https://redmine.openinfosecfoundation.org/issues/7280",
"tags": [
"x_refsource_MISC"
],
"url": "https://redmine.openinfosecfoundation.org/issues/7280"
}
],
"source": {
"advisory": "GHSA-96w4-jqwf-qx2j",
"discovery": "UNKNOWN"
},
"title": "Suricata oversized resource names utilizing DNS name compression can lead to resource starvation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55628",
"datePublished": "2025-01-06T18:02:10.692Z",
"dateReserved": "2024-12-09T17:48:05.557Z",
"dateUpdated": "2025-01-06T19:14:33.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
An application must make resources available to a client commensurate with the client's access level.
Mitigation
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Mitigation
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
No CAPEC attack patterns related to this CWE.