CWE-400— Uncontrolled Resource Consumption (Denial of Service)
The product does not properly control the allocation and maintenance of a limited resource.— MITRE CWE catalog
3,396 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 58 of 68
- CVE-2025-58157HIGHCVSS 7.5EG 7.52025-08-29
gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge q…
- CVE-2025-58349CRITICALCVSS 9.1EG 9.12026-04-06
An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Inc…
- CVE-2025-58369MEDIUMCVSS 5.3EG 5.32025-09-05
fs2 is a compositional, streaming I/O library for Scala. Versions up to and including 2.5.12, 3.0.0-M1 through 3.12.2, and 3.13.0-M1 through 3.13.0-M6 are vulnerable to denial of service attacks though TLS sessions using fs2-io on the JVM …
- CVE-2025-58436MEDIUMCVSS 5.1EG 5.12025-11-29
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, …
- CVE-2025-58451HIGHCVSS 8.7EG 8.72025-09-08
Cattown is a JavaScript markdown parser. Versions prior to 1.0.2 used regular expressions with inefficient, potentially exponential worst-case complexity. This could cause excessive CPU usage due to excessive backtracking on crafted inputs…
- CVE-2025-58767MEDIUMCVSS 5.3EG 5.32025-09-17
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXM…
- CVE-2025-5889LOWCVSS 3.1EG 3.12025-06-09
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular e…
- CVE-2025-5890MEDIUMCVSS 4.3EG 4.32025-06-09
A vulnerability classified as problematic has been found in actions toolkit 0.5.0. This affects the function globEscape of the file toolkit/packages/glob/src/internal-pattern.ts of the component glob. The manipulation leads to inefficient …
- CVE-2025-5891MEDIUMCVSS 5.3EG 4.32025-06-09
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can b…
- CVE-2025-5892HIGHCVSS 7.5EG 4.32025-06-09
A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the a…
- CVE-2025-5895HIGHCVSS 7.5EG 4.32025-06-09
A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. I…
- CVE-2025-5896HIGHCVSS 7.5EG 4.32025-06-09
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular ex…
- CVE-2025-5897HIGHCVSS 7.5EG 4.32025-06-09
A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. T…
- CVE-2025-59043HIGHCVSS 7.5EG 7.52025-10-17
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to …
- CVE-2025-59139MEDIUMCVSS 5.3EG 5.32025-09-12
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP heade…
- CVE-2025-59403CRITICALCVSS 9.8EG 6.52025-10-02
The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoi…
- CVE-2025-59439HIGHCVSS 7.5EG 7.52026-02-03
An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of I…
- CVE-2025-59440HIGHCVSS 7.5EG 7.52026-04-06
An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. I…
- CVE-2025-59464HIGHCVSS 7.5EG 6.52026-01-20
A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory…
- CVE-2025-59465HIGHCVSS 7.5EG 7.52026-01-20
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote …
- CVE-2025-59471MEDIUMCVSS 5.9EG 5.92026-01-26
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without…
- CVE-2025-59472MEDIUMCVSS 5.9EG 5.92026-01-26
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes…
- CVE-2025-59502HIGHCVSS 7.5EG 7.52025-10-14
Uncontrolled resource consumption in Windows Remote Procedure Call allows an unauthorized attacker to deny service over a network.
- CVE-2025-59529MEDIUMCVSS 5.5EG 5.52025-12-18
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited conn…
- CVE-2025-59830HIGHCVSS 7.5EG 7.52025-09-25
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to b…
- CVE-2025-59975HIGHCVSS 7.5EG 7.52025-10-09
An Uncontrolled Resource Consumption vulnerability in the HTTP daemon (httpd) of Juniper Networks Junos Space allows an unauthenticated network-based attacker flooding the device with inbound API calls to consume all resources on the syste…
- CVE-2025-60349HIGHCVSS 7.5EG 7.52025-10-28
An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servi…
- CVE-2025-60419MEDIUMCVSS 6.2EG 6.22025-10-24
An issue was discovered in the NDIS Usermode IO driver (RtkIOAC60.sys, version 6.0.5600.16348) allowing local authenticated attackers to send a crafted IOCTL request to the driver to cause a denial of service.
- CVE-2025-60458MEDIUMCVSS 6.5EG 6.52025-12-29
UxPlay 1.72 contains a double free vulnerability in its RTSP request handling. A specially crafted RTSP TEARDOWN request can trigger multiple calls to free() on the same memory address, potentially causing a Denial of Service.
- CVE-2025-60536HIGHCVSS 7.5EG 7.52025-10-14
An issue in the Configure New Cluster interface of kafka-ui v0.6.0 to v0.7.2 allows attackers to cause a Denial of Service (DoS) via uploading a crafted configuration file.
- CVE-2025-60638HIGHCVSS 7.5EG 7.52025-11-24
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.
- CVE-2025-6075MEDIUMCVSS 5.5EG 5.52025-10-31
If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
- CVE-2025-60753MEDIUMCVSS 5.5EG 5.52025-11-05
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (O…
- CVE-2025-60790MEDIUMCVSS 6.5EG 6.52025-10-21
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service.
- CVE-2025-61025HIGHCVSS 7.5EG 7.52026-06-23
An issue in the sslr_qst_get component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61155MEDIUMCVSS 5.5EG 5.52025-10-28
The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL …
- CVE-2025-61301HIGHCVSS 7.5EG 7.52025-10-20
Denial-of-analysis in reporting/mongodb.py and reporting/jsondump.py in CAPEv2 (commit 52e4b43, on 2025-05-17) allows attackers who can submit samples to cause incomplete or missing behavioral analysis reports by generating deeply nested o…
- CVE-2025-61303CRITICALCVSS 9.8EG 9.82025-10-20
Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-o…
- CVE-2025-6140LOWCVSS 3.3EG 3.32025-06-16
A vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption. It is po…
- CVE-2025-61595HIGHCVSS 8.8EG 8.82025-10-02
MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx…
- CVE-2025-61600HIGHCVSS 7.5EG 7.52025-10-02
Stalwart is a mail and collaboration server. Versions 0.13.3 and below contain an unbounded memory allocation vulnerability in the IMAP protocol parser which allows remote attackers to exhaust server memory, potentially triggering the syst…
- CVE-2025-6176HIGHCVSS 7.5EG 7.52025-10-31
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing r…
- CVE-2025-61770HIGHCVSS 7.5EG 7.52025-10-07
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can s…
- CVE-2025-61771HIGHCVSS 7.5EG 7.52025-10-07
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large te…
- CVE-2025-61772HIGHCVSS 7.5EG 7.52025-10-07
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRL…
- CVE-2025-61919HIGHCVSS 7.5EG 7.52025-10-10
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` …
- CVE-2025-61920HIGHCVSS 7.5EG 7.52025-10-10
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url…
- CVE-2025-6208MEDIUMCVSS 5.3EG 5.32026-02-02
The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) …
- CVE-2025-62260HIGHCVSS 7.5EG 7.52025-10-27
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests…
- CVE-2025-62475MEDIUMCVSS 4.9EG 4.92025-10-21
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Core). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network access via HT…
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →