CWE-770— Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.— MITRE CWE catalog
1,933 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-770page 30 of 39
- CVE-2025-55199MEDIUMCVSS 6.5EG 6.52025-08-14
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue…
- CVE-2025-55670MEDIUMCVSS 6.5EG 6.52025-10-15
On BIG-IP Next CNF, BIG-IP Next SPK, and BIG-IP Next for Kubernetes systems, repeated undisclosed API calls can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Supp…
- CVE-2025-56223HIGHCVSS 7.5EG 7.52025-10-20
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
- CVE-2025-56571HIGHCVSS 7.5EG 7.52025-09-30
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
- CVE-2025-56572HIGHCVSS 7.5EG 7.52025-09-30
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
- CVE-2025-5683MEDIUMCVSS 5.5EG 5.52025-06-05
When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.
- CVE-2025-57705MEDIUMCVSS 4.9EG 4.92026-01-02
An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to preve…
- CVE-2025-57708MEDIUMCVSS 6.5EG 6.52026-02-11
An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or …
- CVE-2025-57710MEDIUMCVSS 4.9EG 4.92026-02-11
An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applica…
- CVE-2025-57711MEDIUMCVSS 4.9EG 4.92026-02-11
An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applica…
- CVE-2025-57798MEDIUMCVSS 5.5EG 5.52026-05-19
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper le…
- CVE-2025-57810HIGHCVSS 7.5EG 7.52025-08-26
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs …
- CVE-2025-58058MEDIUMCVSS 5.3EG 5.32025-08-28
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to…
- CVE-2025-58181MEDIUMCVSS 5.3EG 5.32025-11-19
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-58185MEDIUMCVSS 5.3EG 5.32025-10-29
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
- CVE-2025-58340MEDIUMCVSS 6.2EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58341MEDIUMCVSS 6.2EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58342MEDIUMCVSS 6.2EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58343MEDIUMCVSS 5.5EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58344MEDIUMCVSS 6.2EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation in a /proc/driver/unifi0/conn_lo…
- CVE-2025-58345MEDIUMCVSS 5.5EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58346MEDIUMCVSS 5.5EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58347MEDIUMCVSS 5.5EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58348MEDIUMCVSS 5.5EG 6.22026-02-03
An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/dr…
- CVE-2025-58446HIGHCVSS 7.5EG 7.52025-09-06
xgrammar is an open-source library for efficient, flexible, and portable structured generation. A grammar optimizer introduced in 0.1.23 processes large grammars (>100k characters) at very low rates, and can be used for DOS of model provid…
- CVE-2025-58471MEDIUMCVSS 4.9EG 4.92026-02-11
An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applica…
- CVE-2025-58474MEDIUMCVSS 5.3EG 5.32025-10-15
When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery (SSRF) protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. Note…
- CVE-2025-58578LOWCVSS 3.8EG 3.82025-10-06
A user with the appropriate authorization can create any number of user accounts via an API endpoint using a POST request. There are no quotas, checking mechanisms or restrictions to limit the creation.
- CVE-2025-58582MEDIUMCVSS 5.3EG 5.32025-10-06
If a user tries to login but the provided credentials are incorrect a log is created. The data for this POST requests is not validated and it’s possible to send giant payloads which are then logged.
- CVE-2025-58754HIGHCVSS 7.5EG 7.52025-09-12
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, …
- CVE-2025-59045HIGHCVSS 7.1EG 7.12025-09-10
Stalwart is a mail and collaboration server. Starting in version 0.12.0 and prior to version 0.13.3, a memory exhaustion vulnerability exists in Stalwart's CalDAV implementation that allows authenticated attackers to cause denial-of-servic…
- CVE-2025-59089MEDIUMCVSS 5.9EG 5.92025-11-12
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-servic…
- CVE-2025-59139MEDIUMCVSS 5.3EG 5.32025-09-12
Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP heade…
- CVE-2025-59375HIGHCVSS 7.5EG 7.52025-09-15
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
- CVE-2025-59418MEDIUMCVSS 5.5EG 5.52025-09-22
BunnyPad is a note taking software. Prior to version 11.0.27000.0915, opening files greater than or equal to 20MB causes buffer overflow to occur. This issue has been patched in version 11.0.27000.0915. Users who wish not to upgrade should…
- CVE-2025-59421LOWCVSS 2.7EG 2.72025-09-18
Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). A bad actor can flood the inbox of a user by repeatedly sending invites (duplicate). The issue is fixed…
- CVE-2025-59459MEDIUMCVSS 5.5EG 5.52025-10-27
An attacker that gains SSH access to an unprivileged account may be able to disrupt services (including SSH), causing persistent loss of availability.
- CVE-2025-59778HIGHCVSS 7.5EG 7.52025-10-15
When the Allowed IP Addresses feature is configured on the F5OS-C partition control plane, undisclosed traffic can cause multiple containers to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are …
- CVE-2025-59830HIGHCVSS 7.5EG 7.52025-09-25
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to b…
- CVE-2025-5996MEDIUMCVSS 6.5EG 6.52025-06-12
An issue has been discovered in GitLab CE/EE affecting all versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. A lack of input validation in HTTP responses could allow an authenticated user to cause denial of …
- CVE-2025-6016MEDIUMCVSS 6.5EG 6.52026-04-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service due to insufficient resou…
- CVE-2025-61028HIGHCVSS 7.5EG 7.52026-06-23
An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CVE-2025-61595HIGHCVSS 8.8EG 8.82025-10-02
MANTRA is a purpose-built RWA Layer 1 Blockchain, capable of adherence to real world regulatory requirements. Versions 4.0.1 and below do not enforce the tx gas limit in its send hooks. Send hooks can spend more gas than what remains in tx…
- CVE-2025-61723HIGHCVSS 7.5EG 6.52025-10-29
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
- CVE-2025-61724MEDIUMCVSS 5.3EG 5.32025-10-29
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
- CVE-2025-61726HIGHCVSS 7.5EG 7.52026-01-28
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can pa…
- CVE-2025-61728MEDIUMCVSS 6.5EG 6.52026-01-28
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61775MEDIUMCVSS 6.9EG 6.92025-10-13
Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email ad…
- CVE-2025-61920HIGHCVSS 7.5EG 7.52025-10-10
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64url…
- CVE-2025-6203HIGHCVSS 7.5EG 7.52025-08-28
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine…
Map vulnerabilities like CWE-770 to your infrastructure
EchelonGraph correlates every CVE — across CWE-770 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →