Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-40634

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-22 Jul, 2024 | 17:22
Updated At-02 Aug, 2024 | 04:33
Rejected At-
Credits

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:22 Jul, 2024 | 17:22
Updated At:02 Aug, 2024 | 04:33
Rejected At:
▼CVE Numbering Authority (CNA)
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

Affected Products
Vendor
argoproj
Product
argo-cd
Versions
Affected
  • >= 1.0.0, < 2.9.20
  • >= 2.10.0, < 2.10.15
  • >= 2.11.0, < 2.11.6
Problem Types
TypeCWE IDDescription
CWECWE-400CWE-400: Uncontrolled Resource Consumption
Type: CWE
CWE ID: CWE-400
Description: CWE-400: Uncontrolled Resource Consumption
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
x_refsource_MISC
Hyperlink: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
Resource:
x_refsource_MISC
Hyperlink: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
Resource:
x_refsource_MISC
Hyperlink: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
argoproj
Product
argo-cd
CPEs
  • cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 1.0.0 before 2.9.20 (custom)
  • From 2.10.0 before 2.10.15 (custom)
  • From 2.11.0 before 2.11.6 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
x_refsource_CONFIRM
x_transferred
https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
x_refsource_MISC
x_transferred
https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
x_refsource_MISC
x_transferred
https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:22 Jul, 2024 | 18:15
Updated At:09 Jan, 2025 | 16:55

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches

argoproj
argoproj
>>argo_cd>>Versions from 1.0.0(inclusive) to 2.9.20(exclusive)
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
argoproj
argoproj
>>argo_cd>>Versions from 2.10.0(inclusive) to 2.10.15(exclusive)
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
argoproj
argoproj
>>argo_cd>>Versions from 2.11.0(inclusive) to 2.11.6(exclusive)
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-400Secondarysecurity-advisories@github.com
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE ID: CWE-400
Type: Secondary
Source: security-advisories@github.com
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdcsecurity-advisories@github.com
Patch
https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36security-advisories@github.com
Patch
https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4dfsecurity-advisories@github.com
Patch
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3wsecurity-advisories@github.com
Exploit
Vendor Advisory
https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdcaf854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4dfaf854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3waf854a3a-2127-422b-91ae-364da2661108
Exploit
Vendor Advisory
Hyperlink: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1345Records found

CVE-2022-31054
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.49% / 71.02%
||
7 Day CHG+0.04%
Published-13 Jun, 2022 | 19:40
Updated-23 Apr, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uses of deprecated API can be used to cause DoS in user-facing endpoints in Argo Events

Argo Events is an event-driven workflow automation framework for Kubernetes. Prior to version 1.7.1, several `HandleRoute` endpoints make use of the deprecated `ioutil.ReadAll()`. `ioutil.ReadAll()` reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service. A patch for this vulnerability has been released in Argo Events version 1.7.1.

Action-Not Available
Vendor-argo_events_projectargoproj
Product-argo_eventsargo-events
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-59538
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.55% / 41.91%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 21:09
Updated-07 Oct, 2025 | 14:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argo CD is Vulnerable to Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. For versions 2.9.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.6 and 3.0.17, when the webhook.azuredevops.username and webhook.azuredevops.password are not set in the default configuration, the /api/webhook endpoint crashes the entire argocd-server process when it receives an Azure DevOps Push event whose JSON array resource.refUpdates is empty. The slice index [0] is accessed without a length check, causing an index-out-of-range panic. A single unauthenticated HTTP POST is enough to kill the process. This issue is resolved in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Action-Not Available
Vendor-argoprojargoproj
Product-argo_cdargo-cd
CWE ID-CWE-248
Uncaught Exception
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions
CVE-2024-21661
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.18% / 63.78%
||
7 Day CHG~0.00%
Published-18 Mar, 2024 | 18:32
Updated-09 Jan, 2025 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

Action-Not Available
Vendor-argoprojargoprojargoproj
Product-argo_cdargo-cdargo-cd
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-42294
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-0.61% / 44.73%
||
7 Day CHG+0.06%
Published-09 May, 2026 | 03:45
Updated-30 Jun, 2026 | 12:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5.

Action-Not Available
Vendor-argoprojargoprojRed Hat, Inc.
Product-argo_workflowsargo-workflowsRed Hat OpenShift AI (RHOAI)
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-59531
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.55% / 41.91%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 20:49
Updated-07 Oct, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Action-Not Available
Vendor-argoprojargoproj
Product-argo_cdargo-cd
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions
CVE-2025-59537
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.70%
||
7 Day CHG~0.00%
Published-01 Oct, 2025 | 21:01
Updated-07 Oct, 2025 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
argo-cd is vulnerable to unauthenticated DoS attack via malformed Gogs webhook payload

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. With the default configuration, no webhook.gogs.secret set, Argo CD’s /api/webhook endpoint will crash the entire argocd-server process when it receives a Gogs push event whose JSON field commits[].repo is not set or is null. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.

Action-Not Available
Vendor-argoprojargoproj
Product-argo_cdargo-cd
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2024-29893
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.97% / 57.65%
||
7 Day CHG~0.00%
Published-29 Mar, 2024 | 15:07
Updated-09 Jan, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.

Action-Not Available
Vendor-argoprojargoproj
Product-argo_cdargo-cd
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-31016
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.83% / 53.10%
||
7 Day CHG~0.00%
Published-25 Jun, 2022 | 07:40
Updated-23 Apr, 2025 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Argo CD vulnerable to Uncontrolled Memory Consumption

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

Action-Not Available
Vendor-argoprojargoproj
Product-argo_cdargo-cd
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-32476
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.00% / 58.75%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 15:24
Updated-09 Jan, 2025 | 16:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service via malicious jqPathExpressions in ignoreDifferences

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.

Action-Not Available
Vendor-argoprojargoprojargoproj
Product-argo_cdargo-cdargo-cd
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-40584
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.18% / 63.78%
||
7 Day CHG~0.00%
Published-07 Sep, 2023 | 22:14
Updated-26 Sep, 2024 | 14:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service to Argo CD repo-server

Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. A patch for this vulnerability has been released in versions 2.6.15, 2.7.14, and 2.8.3. Users are advised to upgrade. The only way to completely resolve the issue is to upgrade, however users unable to upgrade should configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts.

Action-Not Available
Vendor-argoprojargoproj
Product-argo_cdargo-cd
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-29260
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.95% / 56.82%
||
7 Day CHG+0.04%
Published-02 Sep, 2022 | 22:14
Updated-04 Aug, 2024 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().

Action-Not Available
Vendor-libvncserver_projectn/aDebian GNU/Linux
Product-libvncserverdebian_linuxn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2018-19160
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.30% / 66.88%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 20:09
Updated-05 Aug, 2024 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Diamond through 3.0.1.2 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.

Action-Not Available
Vendor-bit.diamondsn/a
Product-diamondn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-26151
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.3||MEDIUM
EPSS-1.03% / 59.55%
||
7 Day CHG~0.00%
Published-03 Oct, 2023 | 05:00
Updated-20 Sep, 2024 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.

Action-Not Available
Vendor-freeopcuan/a
Product-opcua-asyncioasyncua
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2023-21557
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-7.5||HIGH
EPSS-2.03% / 78.66%
||
7 Day CHG~0.00%
Published-10 Jan, 2023 | 00:00
Updated-01 Jan, 2025 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-windows_10_21h2windows_10_1809windows_server_2016windows_server_2012windows_server_2008windows_8.1windows_rt_8.1windows_11_21h2windows_7windows_10_22h2windows_server_2022windows_10_20h2windows_11_22h2windows_server_2019windows_10_1607Windows Server 2022Windows 10 Version 1607Windows 11 version 22H2Windows Server 2019 (Server Core installation)Windows Server 2008 Service Pack 2Windows 10 Version 1809Windows Server 2016 (Server Core installation)Windows 11 version 21H2Windows 8.1Windows 7Windows Server 2012 (Server Core installation)Windows 7 Service Pack 1Windows 10 Version 20H2Windows Server 2016Windows 10 Version 1507Windows 10 Version 21H2Windows Server 2008 R2 Service Pack 1Windows Server 2008 Service Pack 2 (Server Core installation)Windows Server 2008 R2 Service Pack 1 (Server Core installation)Windows Server 2012 R2Windows Server 2019Windows Server 2012Windows Server 2008 Service Pack 2Windows Server 2012 R2 (Server Core installation)Windows 10 Version 22H2
CWE ID-CWE-190
Integer Overflow or Wraparound
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2018-19155
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.30% / 66.88%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 20:06
Updated-05 Aug, 2024 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

navcoin through 4.3.0 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.

Action-Not Available
Vendor-navcoinn/a
Product-navcoinn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-26509
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.12% / 62.13%
||
7 Day CHG+0.30%
Published-03 Jul, 2023 | 00:00
Updated-27 Nov, 2024 | 17:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

AnyDesk 7.0.8 allows remote Denial of Service.

Action-Not Available
Vendor-anydeskn/a
Product-anydeskn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-41989
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.20% / 64.44%
||
7 Day CHG~0.00%
Published-07 Aug, 2024 | 00:00
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

Action-Not Available
Vendor-n/aDjango
Product-djangon/adjango
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-20259
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.6||HIGH
EPSS-0.61% / 44.98%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 16:13
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in an API endpoint of multiple Cisco Unified Communications Products could allow an unauthenticated, remote attacker to cause high CPU utilization, which could impact access to the web-based management interface and cause delays with call processing. This API is not used for device management and is unlikely to be used in normal operations of the device. This vulnerability is due to improper API authentication and incomplete validation of the API request. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to high CPU utilization, which could negatively impact user traffic and management access. When the attack stops, the device will recover without manual intervention.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unity_connectionprime_collaboration_deploymentunified_communications_managerunified_communications_manager_im_\&_presence_serviceemergency_responderCisco Emergency ResponderCisco Unified Communications ManagerCisco Prime Collaboration DeploymentCisco Unity ConnectionCisco Unified Communications Manager IM and Presence Service
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-41818
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.83% / 53.04%
||
7 Day CHG~0.00%
Published-29 Jul, 2024 | 15:56
Updated-11 Oct, 2024 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ReDOS at currency parsing fast-xml-parser

fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.

Action-Not Available
Vendor-fast-xml-parser_projectNaturalIntelligencenaturalintelligence
Product-fast-xml-parserfast-xml-parserfast_xml_parser
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2023-20883
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-7.5||HIGH
EPSS-0.90% / 55.42%
||
7 Day CHG~0.00%
Published-26 May, 2023 | 00:00
Updated-16 Jan, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-spring_bootSpring Boot
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-26302
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.87% / 54.27%
||
7 Day CHG~0.00%
Published-23 Dec, 2022 | 23:03
Updated-14 Apr, 2025 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.

Action-Not Available
Vendor-is.js_projectarasatasaygin
Product-is.jsis.js
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2024-42481
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.48% / 37.69%
||
7 Day CHG~0.00%
Published-12 Aug, 2024 | 15:30
Updated-16 Sep, 2024 | 17:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Complete crash of host system due to calculateDirectorySize in skyportd

Skyport Daemon (skyportd) is the daemon for the Skyport Panel. By making thousands of folders & files (easy due to skyport's lack of rate limiting on createFolder. createFile), skyportd in a lot of cases will cause 100% CPU usage and an OOM, probably crashing the system. This is fixed in 0.2.2.

Action-Not Available
Vendor-skyportskyportlabsskyportlabs
Product-skyportdskyportdskyportd
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-42969
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.39%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 00:00
Updated-16 Aug, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda FH1206 v02.03.01.35 was discovered to contain a stack overflow via the page parameter in the fromSafeUrlFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-fh1206_firmwarefh1206n/afh1206_firmware
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-42943
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.68% / 47.98%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 00:00
Updated-16 Aug, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the PPPOEPassword parameter in the fromAdvSetWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-fh1201_firmwarefh1201n/afh1201_firmware
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-787
Out-of-bounds Write
CVE-2018-19154
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.30% / 66.88%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 20:05
Updated-05 Aug, 2024 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTMLCOIN through 2.12 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service. The attacker sends invalid headers/blocks. The attack requires no stake and can fill the victim's disk and RAM.

Action-Not Available
Vendor-htmlcoinn/a
Product-htmlcoinn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-42950
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.55% / 42.14%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 00:00
Updated-21 Aug, 2024 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the Go parameter in the fromSafeClientFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-fh1201_firmwarefh1201n/afh1201_firmware
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-42951
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.39%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 00:00
Updated-16 Aug, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the mit_pptpusrpw parameter in the fromWizardHandle function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Action-Not Available
Vendor-n/aTenda Technology Co., Ltd.
Product-fh1201_firmwarefh1201n/afh1201_firmware
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-9563
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-7.5||HIGH
EPSS-0.37% / 28.60%
||
7 Day CHG~0.00%
Published-02 Jul, 2026 | 07:33
Updated-02 Jul, 2026 | 12:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse Parsson
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-19156
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.30% / 66.88%
||
7 Day CHG~0.00%
Published-05 Nov, 2019 | 20:07
Updated-05 Aug, 2024 | 11:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PIVX through 3.1.03 (a chain-based proof-of-stake cryptocurrency) allows a remote denial of service, exploitable by an attacker who acquires even a small amount of stake/coins in the system. The attacker sends invalid headers/blocks, which are stored on the victim's disk.

Action-Not Available
Vendor-pivxn/a
Product-pivxn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-21061
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.5||HIGH
EPSS-0.29% / 20.72%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-20 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Product: AndroidVersions: Android kernelAndroid ID: A-229255400References: N/A

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-20014
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.95% / 57.02%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 15:24
Updated-02 Aug, 2024 | 08:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the DNS functionality of Cisco Nexus Dashboard Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the improper processing of DNS requests. An attacker could exploit this vulnerability by sending a continuous stream of DNS requests to an affected device. A successful exploit could allow the attacker to cause the coredns service to stop working or cause the device to reload, resulting in a DoS condition.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-nexus_dashboardCisco Nexus Dashboard
CWE ID-CWE-399
Not Available
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-41946
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.19% / 64.24%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 14:22
Updated-03 Nov, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
REXML DoS vulnerability

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Action-Not Available
Vendor-Ruby
Product-rexmlrexmlrexml
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-42651
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.42% / 33.54%
||
7 Day CHG+0.02%
Published-29 Jul, 2025 | 00:00
Updated-06 Aug, 2025 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NanoMQ v0.17.9 was discovered to contain a heap use-after-free vulnerability via the component sub_Ctx_handle. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted SUBSCRIBE message.

Action-Not Available
Vendor-emqxn/a
Product-nanomqn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-20155
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.45%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 16:48
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in a logging API in Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to cause the device to become unresponsive or trigger an unexpected reload. This vulnerability could also allow an attacker with valid user credentials, but not Administrator privileges, to view a system log file that they would not normally have access to. This vulnerability is due to a lack of rate-limiting of requests that are sent to a specific API that is related to an FMC log. An attacker could exploit this vulnerability by sending a high rate of HTTP requests to the API. A successful exploit could allow the attacker to cause a denial of service (DoS) condition due to the FMC CPU spiking to 100 percent utilization or to the device reloading. CPU utilization would return to normal if the attack traffic was stopped before an unexpected reload was triggered.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-1992
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.3||MEDIUM
EPSS-4.62% / 90.57%
||
7 Day CHG~0.00%
Published-12 Apr, 2023 | 00:00
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 allows denial of service via packet injection or crafted capture file

Action-Not Available
Vendor-Fedora ProjectDebian GNU/LinuxWireshark Foundation
Product-fedoradebian_linuxwiresharkWireshark
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-1580
Matching Score-4
Assigner-Devolutions Inc.
ShareView Details
Matching Score-4
Assigner-Devolutions Inc.
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.17%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 17:49
Updated-25 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Uncontrolled resource consumption in the logging feature in Devolutions Gateway 2023.1.1 and earlier allows an attacker to cause a denial of service by filling up the disk and render the system unusable.

Action-Not Available
Vendor-Devolutions
Product-devolutions_gatewayGateway
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-1605
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.99% / 58.29%
||
7 Day CHG-0.01%
Published-23 Mar, 2023 | 00:00
Updated-25 Feb, 2025 | 19:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in radareorg/radare2

Denial of Service in GitHub repository radareorg/radare2 prior to 5.8.6.

Action-Not Available
Vendor-Radare2 (r2)
Product-radare2radareorg/radare2
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-1733
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.8||MEDIUM
EPSS-1.24% / 65.59%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-10 Feb, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-20051
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.87% / 54.27%
||
7 Day CHG~0.00%
Published-05 Apr, 2023 | 00:00
Updated-28 Oct, 2024 | 16:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Packet Data Network Gateway IPsec ICMP Denial of Service Vulnerability

A vulnerability in the Vector Packet Processor (VPP) of Cisco Packet Data Network Gateway (PGW) could allow an unauthenticated, remote attacker to stop ICMP traffic from being processed over an IPsec connection. This vulnerability is due to the VPP improperly handling a malformed packet. An attacker could exploit this vulnerability by sending a malformed Encapsulating Security Payload (ESP) packet over an IPsec connection. A successful exploit could allow the attacker to stop ICMP traffic over an IPsec connection and cause a denial of service (DoS).

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-asr_5000packet_data_network_gatewayasr_5500asr_5700Cisco ASR 5000 Series Software
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-41727
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-8.7||HIGH
EPSS-0.48% / 38.03%
||
7 Day CHG~0.00%
Published-14 Aug, 2024 | 14:32
Updated-20 Aug, 2024 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BIG-IP TMM vulnerability

In BIG-IP tenants running on r2000 and r4000 series hardware, or BIG-IP Virtual Edition (VEs) using Intel E810 SR-IOV NIC, undisclosed traffic can cause an increase in memory resource utilization.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-F5, Inc.
Product-big-ip_automation_toolchainbig-ip_webacceleratorbig-ip_application_acceleration_managerbig-ip_ssl_orchestratorbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicebig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systembig-ip_application_security_managerr2000big-ip_edge_gatewaybig-ip_advanced_web_application_firewallbig-ip_carrier-grade_natbig-ip_link_controllerr4000big-ip_application_visibility_and_reportingbig-ip_container_ingress_servicesbig-ip_access_policy_managerbig-ip_websafebig-ip_advanced_firewall_managerbig-ip_ddos_hybrid_defenderBIG-IP
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-9137
Matching Score-4
Assigner-Computer Incident Response Center Luxembourg (CIRCL)
ShareView Details
Matching Score-4
Assigner-Computer Incident Response Center Luxembourg (CIRCL)
CVSS Score-5.1||MEDIUM
EPSS-0.36% / 28.50%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 18:43
Updated-22 Jun, 2026 | 19:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSP Report Endpoint Log Flooding in MISP via Incorrect Size Limit

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

Action-Not Available
Vendor-misp-projectmisp
Product-mispmisp
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2006-7229
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.80% / 84.75%
||
7 Day CHG~0.00%
Published-15 Nov, 2007 | 00:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The skge driver 1.5 in Linux kernel 2.6.15 on Ubuntu does not properly use the spin_lock and spin_unlock functions, which allows remote attackers to cause a denial of service (machine crash) via a flood of network traffic.

Action-Not Available
Vendor-n/aUbuntu
Product-linux_kerneln/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-0662
Matching Score-4
Assigner-PHP Group
ShareView Details
Matching Score-4
Assigner-PHP Group
CVSS Score-7.5||HIGH
EPSS-1.41% / 69.36%
||
7 Day CHG~0.00%
Published-16 Feb, 2023 | 06:24
Updated-18 Mar, 2025 | 14:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS vulnerability when parsing multipart request body

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.

Action-Not Available
Vendor-The PHP Group
Product-phpPHP
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-0384
Matching Score-4
Assigner-M-Files Corporation
ShareView Details
Matching Score-4
Assigner-M-Files Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.80% / 52.30%
||
7 Day CHG~0.00%
Published-20 Apr, 2023 | 08:02
Updated-23 Feb, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consuption in M-Files Server

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled job.

Action-Not Available
Vendor-M-Files Oy
Product-m-files_serverM-Files Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-0518
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-1.22% / 64.92%
||
7 Day CHG~0.00%
Published-13 Feb, 2023 | 00:00
Updated-21 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2006-5708
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.01% / 58.87%
||
7 Day CHG~0.00%
Published-04 Nov, 2006 | 01:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple unspecified vulnerabilities in MDaemon and WorldClient in Alt-N Technologies MDaemon before 9.50 allow attackers to cause a denial of service (memory consumption) via unspecified vectors resulting in memory leaks.

Action-Not Available
Vendor-alt-nn/a
Product-mdaemonn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-4068
Matching Score-4
Assigner-Checkmarx
ShareView Details
Matching Score-4
Assigner-Checkmarx
CVSS Score-7.5||HIGH
EPSS-1.47% / 70.63%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 10:06
Updated-31 Dec, 2025 | 01:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Exhaustion in braces

The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Action-Not Available
Vendor-jonschlinkertmicromatchmicromatch
Product-bracesbracesbraces
CWE ID-CWE-1050
Excessive Platform Resource Consumption within a Loop
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-0383
Matching Score-4
Assigner-M-Files Corporation
ShareView Details
Matching Score-4
Assigner-M-Files Corporation
CVSS Score-7.5||HIGH
EPSS-0.85% / 53.76%
||
7 Day CHG~0.00%
Published-20 Apr, 2023 | 08:00
Updated-23 Feb, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncontrolled Resource Consuption in M-Files Server

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption.

Action-Not Available
Vendor-M-Files Oy
Product-m-files_serverM-Files Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-41123
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.28% / 66.58%
||
7 Day CHG~0.00%
Published-01 Aug, 2024 | 14:18
Updated-03 Nov, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
REXML DoS vulnerability

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Action-Not Available
Vendor-Ruby
Product-rexmlrexmlrexml
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2017-11521
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.33% / 81.47%
||
7 Day CHG~0.00%
Published-22 Jul, 2017 | 18:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SdpContents::Session::Medium::parse function in resip/stack/SdpContents.cxx in reSIProcate 1.10.2 allows remote attackers to cause a denial of service (memory consumption) by triggering many media connections.

Action-Not Available
Vendor-resiprocaten/aDebian GNU/Linux
Product-debian_linuxresiprocaten/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 26
  • 27
  • Next
Details not found