CWE-405
Allowed-with-ReviewAsymmetric Resource Consumption (Amplification)
Abstraction: Class · Status: Incomplete
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
85 vulnerabilities reference this CWE, most recent first.
GHSA-W75X-F9JM-QXX4
Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:03OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2021-38447"
],
"database_specific": {
"cwe_ids": [
"CWE-405"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-05T17:15:00Z",
"severity": "HIGH"
},
"details": "OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.",
"id": "GHSA-w75x-f9jm-qxx4",
"modified": "2022-05-14T00:03:34Z",
"published": "2022-05-06T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38447"
},
{
"type": "WEB",
"url": "https://opendds.org"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W8W2-83MF-6CP5
Vulnerability from github – Published: 2025-01-30 00:31 – Updated: 2025-02-11 21:32It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.
{
"affected": [],
"aliases": [
"CVE-2024-11187"
],
"database_specific": {
"cwe_ids": [
"CWE-405"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-29T22:15:28Z",
"severity": "HIGH"
},
"details": "It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure.\nThis issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.",
"id": "GHSA-w8w2-83mf-6cp5",
"modified": "2025-02-11T21:32:05Z",
"published": "2025-01-30T00:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11187"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2024-11187"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250207-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X39R-JQ9Q-XVVH
Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.
{
"affected": [],
"aliases": [
"CVE-2026-25611"
],
"database_specific": {
"cwe_ids": [
"CWE-405"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-10T18:16:37Z",
"severity": "HIGH"
},
"details": "A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.",
"id": "GHSA-x39r-jq9q-xvvh",
"modified": "2026-02-10T18:30:43Z",
"published": "2026-02-10T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25611"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-116206"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-116210"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-116211"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XFCF-WWR2-W555
Vulnerability from github – Published: 2026-05-30 18:31 – Updated: 2026-06-01 18:31Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.
Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.
A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.
Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.
{
"affected": [],
"aliases": [
"CVE-2026-8594"
],
"database_specific": {
"cwe_ids": [
"CWE-405"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-30T16:17:05Z",
"severity": "MODERATE"
},
"details": "Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.\n\nText::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.\n\nA side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.\n\nNote that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.",
"id": "GHSA-xfcf-wwr2-w555",
"modified": "2026-06-01T18:31:47Z",
"published": "2026-05-30T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8594"
},
{
"type": "WEB",
"url": "https://github.com/hatukanezumi/Unicode-LineBreak/pull/6"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/30/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XVR7-P2C6-J83W
Vulnerability from github – Published: 2025-08-13 23:54 – Updated: 2025-08-13 23:54The HTTP/2 MadeYouReset vulnerability has a mild effect on swift-nio-http2.
swift-nio-http2 mostly protects against MadeYouReset by using a number of existing denial-of-service prevention patterns that we added in response to the RapidReset vulnerabilities. The result is that servers are not vulnerable to naive attacks based on MadeYouReset, and the naive PoC examples do not affect swift-nio-http2.
However, in 1.38.0 we added some defense-in-depth measures as a precautionary measure that detect clients behaving "weirdly". These defense in depth measures tackle resource drain attacks where attackers interleave attack traffic with legitimate traffic to try to evade our existing DoS prevention mechanisms.
We recommend all adopters move to 1.38.0 as soon as possible to mitigate against more sophisticated attacks that may appear in the future.
We are very grateful to @galbarnahum, @AnatBB, and @YanivRL for their reporting and assistance with our process.
{
"affected": [
{
"package": {
"ecosystem": "SwiftURL",
"name": "github.com/apple/swift-nio-http2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.38.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-405"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-13T23:54:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The HTTP/2 [MadeYouReset vulnerability](https://galbarnahum.com/made-you-reset) has a mild effect on swift-nio-http2.\n\nswift-nio-http2 mostly protects against MadeYouReset by using a number of existing denial-of-service prevention patterns that we added in response to the RapidReset vulnerabilities. The result is that servers are not vulnerable to naive attacks based on MadeYouReset, and the naive PoC examples do not affect swift-nio-http2.\n\nHowever, in 1.38.0 we added some defense-in-depth measures as a precautionary measure that detect clients behaving \"weirdly\". These defense in depth measures tackle resource drain attacks where attackers interleave attack traffic with legitimate traffic to try to evade our existing DoS prevention mechanisms.\n\nWe recommend all adopters move to 1.38.0 as soon as possible to mitigate against more sophisticated attacks that may appear in the future.\n\nWe are very grateful to @galbarnahum, @AnatBB, and @YanivRL for their reporting and assistance with our process.",
"id": "GHSA-xvr7-p2c6-j83w",
"modified": "2025-08-13T23:54:02Z",
"published": "2025-08-13T23:54:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-xvr7-p2c6-j83w"
},
{
"type": "PACKAGE",
"url": "https://github.com/apple/swift-nio-http2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "swift-nio-http2 affected by HTTP/2 MadeYouReset vulnerability"
}
Mitigation
An application must make resources available to a client commensurate with the client's access level.
Mitigation
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Mitigation
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
No CAPEC attack patterns related to this CWE.