Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,099)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-49555 1Yasm Project 1Yasm Jun 17, 2025 Jan 3, 2024 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue in YASM 1.3.0.86.g9def allows a remote attacker to cause a denial of service via the expand_smacro function in the modules/preprocs/nasm/nasm-pp.c component.
CVE-2023-49550 1Cesanta 1Mjs May 16, 2025 Jan 2, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs+0x4ec508 component.
CVE-2023-50020 1Open5gs 1Open5gs Jun 18, 2025 Jan 2, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in open5gs v2.6.6. SIGPIPE can be used to crash AMF.
CVE-2023-50019 1Open5gs 1Open5gs Apr 17, 2025 Jan 2, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 An issue was discovered in open5gs v2.6.6. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of Nudm_UECM_Registration response.
CVE-2023-26157 1Gnu 1Libredwg Nov 21, 2024 Jan 2, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Versions of the package libredwg before 0.12.5.6384 are vulnerable to Denial of Service (DoS) due to an out-of-bounds read involving section->num_pages in decode_r2007.c.
CVE-2023-50730 1Typelevel 1Grackle Nov 21, 2024 Dec 22, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle versi...Show more Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. The GraphQL specification requires that GraphQL fragments must not form cycles, either directly or indirectly. Prior to Grackle version 0.18.0, that requirement wasn't checked, and queries with cyclic fragments would have been accepted for type checking and compilation. The attempted compilation of such fragments would result in a JVM `StackOverflowError` being thrown. Some knowledge of an applications GraphQL schema would be required to construct such a query, however no knowledge of any application-specific performance or other behavioural characteristics would be needed. Grackle uses the cats-parse library for parsing GraphQL queries. Prior to version 0.18.0, Grackle made use of the cats-parse `recursive` operator. However, `recursive` is not currently stack safe. `recursive` was used in three places in the parser: nested selection sets, nested input values (lists and objects), and nested list type declarations. Consequently, queries with deeply nested selection sets, input values or list types could be constructed which exploited this, causing a JVM `StackOverflowException` to be thrown during parsing. Because this happens very early in query processing, no specific knowledge of an applications GraphQL schema would be required to construct such a query. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability. This potentially affects all applications using Grackle which have untrusted users. Both stack overflow issues have been resolved in the v0.18.0 release of Grackle. As a workaround, users could interpose a sanitizing layer in between untrusted input and Grackle query processing.Show less
CVE-2023-46131 1Grails 1Grails Nov 21, 2024 Dec 21, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data...Show more Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0. Show less
CVE-2023-50249 1Sentry 1Astro Nov 21, 2024 Dec 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability...Show more Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0.Show less
CVE-2023-50707 1Efacec 1Bcu 500 Firmware Nov 21, 2024 Dec 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.
CVE-2023-46104 1Apache 1Superset Feb 13, 2025 Dec 19, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and incl...Show more Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.Show less
CVE-2023-41151 1Softing 3Opc Opc Ua C++ Software Development KitSecure Integration Server May 22, 2025 Dec 14, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An uncaught exception issue discovered in Softing OPC UA C++ SDK before 6.30 for Windows operating system may cause the application to crash when the server wants to send an error packet, while socket is blocked on writi...Show more An uncaught exception issue discovered in Softing OPC UA C++ SDK before 6.30 for Windows operating system may cause the application to crash when the server wants to send an error packet, while socket is blocked on writing.Show less
CVE-2023-6193 1Cloudflare 1Quiche Nov 21, 2024 Dec 12, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation (RFC 9000 Section 8.2) requires t...Show more quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received; leading to storage of path validation data in an unbounded queue. Quiche versions greater than 0.19.0 address this problem.Show less
CVE-2023-49713 1Jtekt 10Gc A22w Cw Firmware Gc A24 M FirmwareGc A24 Firmware+7 more Nov 21, 2024 Dec 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Denial-of-service (DoS) vulnerability exists in NetBIOS service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may occur...Show more Denial-of-service (DoS) vulnerability exists in NetBIOS service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may occur.Show less
CVE-2023-49143 1Jtekt 10Gc A22w Cw Firmware Gc A24 M FirmwareGc A24 Firmware+7 more Nov 21, 2024 Dec 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Denial-of-service (DoS) vulnerability exists in rfe service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may occur.
CVE-2023-49140 1Jtekt 10Gc A22w Cw Firmware Gc A24 M FirmwareGc A24 Firmware+7 more Nov 21, 2024 Dec 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Denial-of-service (DoS) vulnerability exists in commplex-link service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may...Show more Denial-of-service (DoS) vulnerability exists in commplex-link service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may occur.Show less
CVE-2023-41963 1Jtekt 10Gc A22w Cw Firmware Gc A24 M FirmwareGc A24 Firmware+7 more Nov 21, 2024 Dec 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Denial-of-service (DoS) vulnerability exists in FTP service of HMI GC-A2 series. If a remote unauthenticated attacker sends a specially crafted packets to specific ports, a denial-of-service (DoS) condition may occur.
CVE-2023-49809 1Mattermost 1Mattermost Server Nov 21, 2024 Dec 12, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled....Show more Mattermost fails to handle a null request body in the /add endpoint, allowing a simple member to send a request with null request body to that endpoint and make it crash. After a few repetitions, the plugin is disabled. Show less
CVE-2023-45847 1Mattermost 1Mattermost Server Nov 21, 2024 Dec 12, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin
CVE-2023-5870 2Postgresql Redhat 16Codeready Linux Builder Eus Codeready Linux Builder Eus For Power Little Endian EusCodeready Linux Builder For Arm64 Eus+13 more Nov 4, 2025 Dec 10, 2023 N/A· v4 4.4 MEDIUM· v3 N/A· v2 A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation re...Show more A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.Show less
CVE-2023-49800 1Johannschopplich 1Nuxt Api Party Nov 21, 2024 Dec 9, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 `nuxt-api-party` is an open source module to proxy API requests. The library allows the user to send many options directly to `ofetch`. There is no filter on which options are available. We can abuse the retry logic to c...Show more `nuxt-api-party` is an open source module to proxy API requests. The library allows the user to send many options directly to `ofetch`. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. fetchOptions are obtained directly from the request body. A malicious user can construct a URL known to not fetch successfully, then set the retry attempts to a high value, this will cause a stack overflow as ofetch error handling works recursively resulting in a denial of service. This issue has been addressed in version 0.22.1. Users are advised to upgrade. Users unable to upgrade should limit ofetch options.Show less

Previous 1...666768...155 Next