CWE-400— Uncontrolled Resource Consumption (Denial of Service)
The product does not properly control the allocation and maintenance of a limited resource.— MITRE CWE catalog
3,396 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-400page 59 of 68
- CVE-2025-62476MEDIUMCVSS 4.9EG 4.92025-10-21
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Remote Replication). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network…
- CVE-2025-62477MEDIUMCVSS 4.9EG 4.92025-10-21
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Remote Replication). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network…
- CVE-2025-62478MEDIUMCVSS 4.9EG 4.92025-10-21
Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Object Store). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with network acces…
- CVE-2025-62706MEDIUMCVSS 6.5EG 6.52025-10-22
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes…
- CVE-2025-6274LOWCVSS 3.3EG 3.32025-06-19
A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been classified as problematic. Affected is the function OnDataCount of the file src/interp/binary-reader-interp.cc. The manipulation leads to resource consumption. Attacki…
- CVE-2025-62854MEDIUMCVSS 6.5EG 6.52026-02-11
An uncontrolled resource consumption vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already …
- CVE-2025-6297HIGHCVSS 8.2EG 8.22025-07-01
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving …
- CVE-2025-63288HIGHCVSS 7.5EG 7.52025-11-10
In Open5GS 2.7.6, AMF crashes when receiving an abnormal NGSetupRequest message, resulting in denial of service.
- CVE-2025-63560HIGHCVSS 7.5EG 7.52025-11-06
An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component.
- CVE-2025-63561HIGHCVSS 7.5EG 7.52025-10-31
Summer Pearl Group Vacation Rental Management Platform prior to 1.0.2 is susceptible to a Slowloris-style Denial-of-Service (DoS) condition in the HTTP connection handling layer, where an attacker that opens and maintains many slow or part…
- CVE-2025-6365HIGHCVSS 7.5EG 5.72025-06-20
A vulnerability was found in HobbesOSR Kitten up to c4f8b7c3158983d1020af432be1b417b28686736 and classified as critical. Affected by this issue is the function set_pte_at in the library /include/arch-arm64/pgtable.h. The manipulation leads…
- CVE-2025-63811HIGHCVSS 7.5EG 7.52025-11-12
An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encryption (JWE) token with an exceptionally high compression ratio.
- CVE-2025-64388CRITICALCVSS 9.2EG 9.22025-10-31
Denial of service of the web server through specific requests to this protocol
- CVE-2025-6492MEDIUMCVSS 5.3EG 5.32025-06-22
A vulnerability has been found in MarkText up to 0.17.1 and classified as problematic. Affected by this vulnerability is the function getRecommendTitleFromMarkdownString of the file marktext/src/main/utils/index.js. The manipulation leads …
- CVE-2025-6493MEDIUMCVSS 5.3EG 5.32025-06-22
A weakness has been identified in CodeMirror up to 5.65.20. Affected is an unknown function of the file mode/markdown/markdown.js of the component Markdown Mode. This manipulation causes inefficient regular expression complexity. It is pos…
- CVE-2025-65122HIGHCVSS 7.5EG 7.52026-05-07
Regex Denial of Service in youtube-regex npm package through version 1.0.5.
- CVE-2025-65518HIGHCVSS 7.5EG 7.52026-01-08
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected w…
- CVE-2025-65637HIGHCVSS 7.5EG 7.52025-12-04
A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer() to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails wit…
- CVE-2025-65781HIGHCVSS 8.2EG 8.22025-12-15
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Attachment upload API treats the Authorization bearer value as a userId and enters a non-terminating body-handling branch for any non…
- CVE-2025-65803MEDIUMCVSS 6.5EG 7.52025-12-10
An integer overflow in the psdParser::ReadImageData function of FreeImage v3.18.0 and before allows attackers to cause a Denial of Service (DoS) via supplying a crafted PSD file.
- CVE-2025-65886HIGHCVSS 7.5EG 7.52026-01-28
A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes.
- CVE-2025-65888HIGHCVSS 7.5EG 7.52026-01-28
A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value.
- CVE-2025-65889HIGHCVSS 7.5EG 7.52026-01-28
A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
- CVE-2025-65890HIGHCVSS 7.5EG 7.52026-01-28
A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index.
- CVE-2025-65891HIGHCVSS 7.5EG 7.52026-01-28
A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index.
- CVE-2025-65947HIGHCVSS 8.7EG 8.72025-11-21
thread-amount is a tool that gets the amount of threads in the current process. Prior to version 0.2.2, there are resource leaks when querying thread counts on Windows and Apple platforms. In Windows platforms, the thread_amount function c…
- CVE-2025-6599HIGHCVSS 7.5EG 5.32025-11-18
An uncontrolled resource consumption vulnerability in the web server of Zyxel DX3301-T0 firmware version 5.50(ABVY.6.3)C0 and earlier could allow an attacker to perform Slowloris‑style denial‑of‑service (DoS) attacks. Such attacks ma…
- CVE-2025-66019MEDIUMCVSS 6.6EG 6.62025-11-26
pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a …
- CVE-2025-66303MEDIUMCVSS 4.9EG 4.92025-12-01
Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A Denial of Service (DoS) vulnerability has been identified in Grav related to the handling of scheduled_at parameters. Specifically, the application fails to properly sanitize inp…
- CVE-2025-66453HIGHCVSS 7.5EG 7.52025-12-03
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high …
- CVE-2025-66676MEDIUMCVSS 6.2EG 6.22026-02-13
An issue in IObit Unlocker v1.3.0.11 allows attackers to cause a Denial of Service (DoS) via a crafted request.
- CVE-2025-66861LOWCVSS 2.5EG 2.52025-12-29
An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.
- CVE-2025-66863HIGHCVSS 7.5EG 7.52025-12-29
An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.
- CVE-2025-66959HIGHCVSS 7.5EG 7.52026-01-21
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder
- CVE-2025-66960HIGHCVSS 7.5EG 7.52026-01-21
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata
- CVE-2025-6712MEDIUMCVSS 6.5EG 6.52025-07-07
MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain in…
- CVE-2025-67133HIGHCVSS 7.5EG 7.52026-01-09
An issue in Hero Motocorp Vida V1 Pro 2.0.7 allows a local attacker to cause a denial of service via the BLE component
- CVE-2025-6714HIGHCVSS 7.5EG 7.52025-07-07
MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0…
- CVE-2025-67445HIGHCVSS 7.5EG 7.52026-02-24
TOTOLINK X5000R V9.1.0cu.2415_B20250515 contains a denial-of-service vulnerability in /cgi-bin/cstecgi.cgi. The CGI reads the CONTENT_LENGTH environment variable and allocates memory using malloc (CONTENT_LENGTH + 1) without sufficient bou…
- CVE-2025-67725HIGHCVSS 7.5EG 7.52025-12-12
Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. T…
- CVE-2025-67726HIGHCVSS 7.5EG 7.52025-12-12
Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py…
- CVE-2025-67731HIGHCVSS 7.5EG 7.52025-12-12
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies…
- CVE-2025-67779HIGHCVSS 7.5EG 7.52025-12-12
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allo…
- CVE-2025-67835MEDIUMCVSS 6.5EG 6.52026-01-14
Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service (DoS) by an authenticated attacker via the Notification Contacts functionality.
- CVE-2025-6817LOWCVSS 3.3EG 3.32025-06-28
A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. This issue affects the function H5C__load_entry of the file /src/H5Centry.c. The manipulation leads to resource consumption. The attack needs to be approa…
- CVE-2025-68272HIGHCVSS 7.5EG 7.52026-01-01
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request…
- CVE-2025-68971MEDIUMCVSS 6.5EG 7.52026-03-16
In Forgejo through 13.0.3, the attachment component allows a denial of service by uploading a multi-gigabyte file attachment (e.g., to be associated with an issue or a release).
- CVE-2025-69198MEDIUMCVSS 6.5EG 6.52026-01-19
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. T…
- CVE-2025-69199MEDIUMCVSS 6.5EG 6.52026-01-19
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large n…
- CVE-2025-6921HIGHCVSS 7.5EG 7.52025-09-23
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer. The vulnerability arises from the _do_use_weight_decay method, which processes …
Map vulnerabilities like CWE-400 to your infrastructure
EchelonGraph correlates every CVE — across CWE-400 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →