Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,097)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-16099 1No Case Project 1No Case Nov 21, 2024 Jun 7, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.
CVE-2017-16098 1Charset Project 1Charset Nov 21, 2024 Jun 7, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= o...Show more charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb, so the impact of the ReDoS is relatively low.Show less
CVE-2017-16086 1Ua Parser Project 1Ua Parser Nov 21, 2024 Jun 7, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.
CVE-2017-16030 1Useragent Project 1Useragent Nov 21, 2024 Jun 4, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and se...Show more Useragent is used to parse useragent headers. It uses several regular expressions to accomplish this. An attacker could edit their own headers, creating an arbitrarily long useragent string, causing the event loop and server to block. This affects Useragent 2.1.12 and earlier.Show less
CVE-2017-16025 1Hapijs 1Nes Nov 21, 2024 Jun 4, 2018 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket au...Show more Nes is a websocket extension library for hapi. Hapi is a webserver framework. Versions below and including 6.4.0 have a denial of service vulnerability via an invalid Cookie header. This is only present when websocket authentication is set to `cookie`. Submitting an invalid cookie on the websocket upgrade request will cause the node process to error out.Show less
CVE-2017-16023 1Decamelize Project 1Decamelize Nov 21, 2024 Jun 4, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be use...Show more Decamelize is used to convert a dash/dot/underscore/space separated string to camelCase. Decamelize 1.1.0 through 1.1.1 uses regular expressions to evaluate a string and takes unescaped separator values, which can be used to create a denial of service attack.Show less
CVE-2017-16021 1Garycourt 1Uri Js Nov 21, 2024 Jun 4, 2018 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulne...Show more uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.Show less
CVE-2017-16013 1Hapijs 1Hapi Nov 21, 2024 Jun 4, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connecti...Show more hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.Show less
CVE-2017-6153 1F5 13Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+10 more Nov 21, 2024 Jun 1, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 system that utilizes inflate functionality directly, via an iRule, or via the inflate code from PEM module are subjected t...Show more Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3.1, 11.5.1-11.5.5, or 11.2.1 system that utilizes inflate functionality directly, via an iRule, or via the inflate code from PEM module are subjected to a service disruption via a "Zip Bomb" attack.Show less
CVE-2016-10544 1Uws Project 1Uws Nov 21, 2024 May 31, 2018 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of w...Show more uws is a WebSocket server library. By sending a 256mb websocket message to a uws server instance with permessage-deflate enabled, there is a possibility used compression will shrink said 256mb down to less than 16mb of websocket payload which passes the length check of 16mb payload. This data will then inflate up to 256mb and crash the node process by exceeding V8's maximum string size. This affects uws >=0.10.0 <=0.10.8.Show less
CVE-2016-10542 1Ws Project 1Ws Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to c...Show more ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.Show less
CVE-2016-10540 1Minimatch Project 1Minimatch Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS i...Show more Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.Show less
CVE-2016-10539 1Negotiator Project 1Negotiator Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Re...Show more negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.Show less
CVE-2016-10527 1Riot.js 1Riot Compiler Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.
CVE-2016-10524 1I18n Node Angular Project 1I18n Node Angular Nov 21, 2024 May 31, 2018 N/A· v4 8.2 HIGH· v3 6.0 MEDIUM· v2 i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in productio...Show more i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user could fill up the server causing a Denial of Service or content injection.Show less
CVE-2016-10523 1Mqtt Packet Project 1Mqtt Packet Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth.
CVE-2016-10521 1Jshamcrest Project 1Jshamcrest Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.
CVE-2016-10520 1Jadedown Project 1Jadedown Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
CVE-2015-9239 1Ansi2html Project 1Ansi2html Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 ansi2html is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.
CVE-2014-10064 1Qs Project 1Qs Nov 21, 2024 May 31, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker coul...Show more The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.Show less

Previous 1...139140141...155 Next