Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVEs (3,056)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-63560 1Kiloview 1E3 Firmware Feb 4, 2026 Nov 6, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component.
CVE-2025-60753 1Libarchive 1Libarchive Feb 4, 2026 Nov 5, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to d...Show more An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).Show less
CVE-2025-49494 1Samsung 8Exynos 1280 Firmware Exynos 1330 FirmwareExynos 1380 Firmware+5 more Nov 7, 2025 Nov 4, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 2100, 1280, 2200, 1330, 1380, 1480, 9110, Modem 5123. Mishandling of an 5G NRMM packet leads to a Denial of Service.
CVE-2025-43462 1Apple 5Ipados Iphone OsTvos+2 more Apr 2, 2026 Nov 4, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 The issue was addressed with improved memory handling. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to cause unexpected system termination...Show more The issue was addressed with improved memory handling. This issue is fixed in iOS 26.1 and iPadOS 26.1, macOS Tahoe 26.1, tvOS 26.1, visionOS 26.1, watchOS 26.1. An app may be able to cause unexpected system termination or corrupt kernel memory.Show less
CVE-2025-63561 1Summerpearlgroup 1Vacation Rental Management Platform Nov 5, 2025 Oct 31, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Summer Pearl Group Vacation Rental Management Platform prior to 1.0.2 is susceptible to a Slowloris-style Denial-of-Service (DoS) condition in the HTTP connection handling layer, where an attacker that opens and maintain...Show more Summer Pearl Group Vacation Rental Management Platform prior to 1.0.2 is susceptible to a Slowloris-style Denial-of-Service (DoS) condition in the HTTP connection handling layer, where an attacker that opens and maintains many slow or partially-completed HTTP connections can exhaust the server’s connection pool and worker capacity, preventing legitimate users and APIs from accessing the service.Show less
CVE-2025-6075 1Python 1Python Feb 4, 2026 Oct 31, 2025 1.8 LOW· v4 5.5 MEDIUM· v3 N/A· v2 If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-64388 - - Nov 4, 2025 Oct 31, 2025 9.2 CRITICAL· v4 N/A· v3 N/A· v2 Denial of service of the web server through specific requests to this protocol
CVE-2025-30188 - - Nov 4, 2025 Oct 31, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component....Show more Malicious or unintentional API requests can be used to add significant amount of data to caches. Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. Please deploy the provided updates and patch releases. No publicly available exploits are knownShow less
CVE-2025-8849 1Librechat 1Librechat Nov 10, 2025 Oct 31, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper...Show more LibreChat version 0.7.9 is vulnerable to a Denial of Service (DoS) attack due to unbounded parameter values in the `/api/memories` endpoint. The `key` and `value` parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessively large values are submitted. This results in the inability to create new memories, impacting the stability of the service.Show less
CVE-2025-6176 - - Nov 4, 2025 Oct 31, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli...Show more Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.Show less
CVE-2025-5342 1Zohocorp 1Manageengine Exchange Reporter Plus Nov 7, 2025 Oct 30, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.
CVE-2025-10932 - - Oct 30, 2025 Oct 29, 2025 N/A· v4 8.2 HIGH· v3 N/A· v2 Uncontrolled Resource Consumption vulnerability in Progress MOVEit Transfer (AS2 module).This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.3, from 2024.1.0 before 2024.1.7, from 2023.1.0 before 2023.1.16.
CVE-2025-54605 1Bitcoin 1Bitcoin Core Nov 7, 2025 Oct 28, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2).
CVE-2025-54604 1Bitcoin 1Bitcoin Core Nov 7, 2025 Oct 28, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2).
CVE-2025-61155 - - Dec 4, 2025 Oct 28, 2025 N/A· v4 5.5 MEDIUM· v3 N/A· v2 The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send speci...Show more The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process can open a handle to the driver device and send specially crafted IOCTL requests. These requests are executed in kernel-mode context without proper authentication or access validation, allowing the attacker to terminate arbitrary processes, including critical system and security services, without requiring administrative privileges.Show less
CVE-2025-60349 - - Oct 30, 2025 Oct 28, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key HKEY_LOCAL_MACHINE\System\Curr...Show more An issue was discovered in Prevx v3.0.5.220 allowing attackers to cause a denial of service via sending IOCTL code 0x22E044 to the pxscan.sys driver. Any processes listed under registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files will be terminated.Show less
CVE-2025-62260 1Liferay 2Digital Experience Platform Liferay Portal Nov 10, 2025 Oct 27, 2025 7.1 HIGH· v4 7.5 HIGH· v3 N/A· v2 Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from He...Show more Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.Show less
CVE-2025-12194 - - Oct 27, 2025 Oct 24, 2025 5.9 MEDIUM· v4 N/A· v3 N/A· v2 Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on A...Show more Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legion of the Bouncy Castle Inc. Bouncy Castle for Java LTS bcprov-lts8on on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/fips/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCFB.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeEngine.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCBC.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeGCMSIV.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCCM.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/engines/AESNativeCTR.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA256NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA224NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA3NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHAKENativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA512NativeDigest.Java, core/src/main/jdk1.9/org/bouncycastle/crypto/digests/SHA384NativeDigest.Java. This issue affects Bouncy Castle for Java FIPS: from 2.1.0 through 2.1.1; Bouncy Castle for Java LTS: from 2.73.0 through 2.73.7.Show less
CVE-2025-60419 - - Oct 27, 2025 Oct 24, 2025 N/A· v4 6.2 MEDIUM· v3 N/A· v2 An issue was discovered in the NDIS Usermode IO driver (RtkIOAC60.sys, version 6.0.5600.16348) allowing local authenticated attackers to send a crafted IOCTL request to the driver to cause a denial of service.
CVE-2025-62706 1Authlib 1Authlib Nov 3, 2025 Oct 22, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hund...Show more Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.5, Authlib’s JWE zip=DEF path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of megabytes on decrypt, allowing an attacker who can supply decryptable tokens to exhaust memory and CPU and cause denial of service. This issue has been patched in version 1.6.5. Workarounds for this issue involve rejecting or stripping zip=DEF for inbound JWEs at the application boundary, forking and add a bounded decompression guard via decompressobj().decompress(data, MAX_SIZE)) and returning an error when output exceeds a safe limit, or enforcing strict maximum token sizes and fail fast on oversized inputs; combine with rate limiting.Show less

Previous 1...222324...153 Next