Common Weakness Enumeration

CWE-405

Allowed-with-Review

Asymmetric Resource Consumption (Amplification)

Abstraction: Class · Status: Incomplete

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

85 vulnerabilities reference this CWE, most recent first.

GHSA-W75X-F9JM-QXX4

Vulnerability from github – Published: 2022-05-06 00:00 – Updated: 2022-05-14 00:03
VLAI
Details

OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-405"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-05T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition.",
  "id": "GHSA-w75x-f9jm-qxx4",
  "modified": "2022-05-14T00:03:34Z",
  "published": "2022-05-06T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38447"
    },
    {
      "type": "WEB",
      "url": "https://opendds.org"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W8W2-83MF-6CP5

Vulnerability from github – Published: 2025-01-30 00:31 – Updated: 2025-02-11 21:32
VLAI
Details

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-405"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-29T22:15:28Z",
    "severity": "HIGH"
  },
  "details": "It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to attack this exposure.\nThis issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.32-S1.",
  "id": "GHSA-w8w2-83mf-6cp5",
  "modified": "2025-02-11T21:32:05Z",
  "published": "2025-01-30T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11187"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/docs/cve-2024-11187"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250207-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X39R-JQ9Q-XVVH

Vulnerability from github – Published: 2026-02-10 18:30 – Updated: 2026-02-10 18:30
VLAI
Details

A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-405"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T18:16:37Z",
    "severity": "HIGH"
  },
  "details": "A series of specifically crafted, unauthenticated messages can exhaust available memory and crash a MongoDB server.",
  "id": "GHSA-x39r-jq9q-xvvh",
  "modified": "2026-02-10T18:30:43Z",
  "published": "2026-02-10T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25611"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-116206"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-116210"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-116211"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XFCF-WWR2-W555

Vulnerability from github – Published: 2026-05-30 18:31 – Updated: 2026-06-01 18:31
VLAI
Details

Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.

Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.

A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.

Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-405"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-30T16:17:05Z",
    "severity": "MODERATE"
  },
  "details": "Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.\n\nText::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.\n\nA side effect of this is that the full input can be duplicated for each segment.  Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.\n\nNote that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.",
  "id": "GHSA-xfcf-wwr2-w555",
  "modified": "2026-06-01T18:31:47Z",
  "published": "2026-05-30T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8594"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hatukanezumi/Unicode-LineBreak/pull/6"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/30/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVR7-P2C6-J83W

Vulnerability from github – Published: 2025-08-13 23:54 – Updated: 2025-08-13 23:54
VLAI
Summary
swift-nio-http2 affected by HTTP/2 MadeYouReset vulnerability
Details

The HTTP/2 MadeYouReset vulnerability has a mild effect on swift-nio-http2.

swift-nio-http2 mostly protects against MadeYouReset by using a number of existing denial-of-service prevention patterns that we added in response to the RapidReset vulnerabilities. The result is that servers are not vulnerable to naive attacks based on MadeYouReset, and the naive PoC examples do not affect swift-nio-http2.

However, in 1.38.0 we added some defense-in-depth measures as a precautionary measure that detect clients behaving "weirdly". These defense in depth measures tackle resource drain attacks where attackers interleave attack traffic with legitimate traffic to try to evade our existing DoS prevention mechanisms.

We recommend all adopters move to 1.38.0 as soon as possible to mitigate against more sophisticated attacks that may appear in the future.

We are very grateful to @galbarnahum, @AnatBB, and @YanivRL for their reporting and assistance with our process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio-http2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.38.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-405"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-13T23:54:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The HTTP/2 [MadeYouReset vulnerability](https://galbarnahum.com/made-you-reset) has a mild effect on swift-nio-http2.\n\nswift-nio-http2 mostly protects against MadeYouReset by using a number of existing denial-of-service prevention patterns that we added in response to the RapidReset vulnerabilities. The result is that servers are not vulnerable to naive attacks based on MadeYouReset, and the naive PoC examples do not affect swift-nio-http2.\n\nHowever, in 1.38.0 we added some defense-in-depth measures as a precautionary measure that detect clients behaving \"weirdly\". These defense in depth measures tackle resource drain attacks where attackers interleave attack traffic with legitimate traffic to try to evade our existing DoS prevention mechanisms.\n\nWe recommend all adopters move to 1.38.0 as soon as possible to mitigate against more sophisticated attacks that may appear in the future.\n\nWe are very grateful to @galbarnahum, @AnatBB, and @YanivRL for their reporting and assistance with our process.",
  "id": "GHSA-xvr7-p2c6-j83w",
  "modified": "2025-08-13T23:54:02Z",
  "published": "2025-08-13T23:54:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-xvr7-p2c6-j83w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/swift-nio-http2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "swift-nio-http2 affected by HTTP/2 MadeYouReset vulnerability"
}

Mitigation
Architecture and Design

An application must make resources available to a client commensurate with the client's access level.

Mitigation
Architecture and Design

An application must, at all times, keep track of allocated resources and meter their usage appropriately.

Mitigation
System Configuration

Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

No CAPEC attack patterns related to this CWE.