Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-68148

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-26 Dec, 2025 | 23:46
Updated At-29 Dec, 2025 | 16:51
Rejected At-
Credits

FreshRSS globally denies access to feed via proxy modifying to 429 Retry-After

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:26 Dec, 2025 | 23:46
Updated At:29 Dec, 2025 | 16:51
Rejected At:
▼CVE Numbering Authority (CNA)
FreshRSS globally denies access to feed via proxy modifying to 429 Retry-After

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.

Affected Products
Vendor
FreshRSS
Product
FreshRSS
Versions
Affected
  • >= 1.27.0, < 1.28.0
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
x_refsource_CONFIRM
https://github.com/FreshRSS/FreshRSS/pull/8029
x_refsource_MISC
https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3
x_refsource_MISC
Hyperlink: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/FreshRSS/FreshRSS/pull/8029
Resource:
x_refsource_MISC
Hyperlink: https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
exploit
Hyperlink: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:27 Dec, 2025 | 00:15
Updated At:31 Dec, 2025 | 21:16

FreshRSS is a free, self-hostable RSS aggregator. From version 1.27.0 to before 1.28.0, An attacker could globally deny access to feeds via proxy modifying to 429 Retry-After for a large list of feeds on given instance, making it unusable for majority of users. This issue has been patched in version 1.28.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches

freshrss
freshrss
>>freshrss>>Versions from 1.27.0(inclusive) to 1.28.0(exclusive)
cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Secondarysecurity-advisories@github.com
CWE ID: CWE-770
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3security-advisories@github.com
Patch
https://github.com/FreshRSS/FreshRSS/pull/8029security-advisories@github.com
Issue Tracking
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78security-advisories@github.com
Exploit
Patch
Vendor Advisory
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Patch
Vendor Advisory
Hyperlink: https://github.com/FreshRSS/FreshRSS/commit/7d4854a0a4f5665db599f18c34035786465639f3
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/FreshRSS/FreshRSS/pull/8029
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
Source: security-advisories@github.com
Resource:
Exploit
Patch
Vendor Advisory
Hyperlink: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-qw34-frg7-gf78
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

888Records found

CVE-2022-22278
Matching Score-4
Assigner-SonicWall, Inc.
ShareView Details
Matching Score-4
Assigner-SonicWall, Inc.
CVSS Score-7.5||HIGH
EPSS-0.90% / 55.68%
||
7 Day CHG+0.03%
Published-27 Apr, 2022 | 16:25
Updated-03 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in SonicOS CFS (Content filtering service) returns a large 403 forbidden HTTP response message to the source address when users try to access prohibited resource this allows an attacker to cause HTTP Denial of Service (DoS) attack

Action-Not Available
Vendor-SonicWall Inc.
Product-nsv_200_firmwaretz670tz500wnssp_15700nsa_3700nsa_2700tz400tz500_firmwaretz470w_firmwaretz300p_firmwarensv_25_firmwarensv_100nssp_13700nssp_10700_firmwarensa_9450_firmwarensa_2650tz350w_firmwarenssp_12400tz400w_firmwarensv_270nsv_50_firmwarensa_9650_firmwarensv_50nsv_470nsv_400tz600p_firmwaretz670_firmwarensv_1600nsa_3700_firmwaretz600tz300w_firmwarensa_2700_firmwaretz300pnsa_2650_firmwaretz350tz570p_firmwarensv_300_firmwarenssp_15700_firmwarensa_6650_firmwarenssp_13700_firmwarenssp_12400_firmwarenssp_11700_firmwaretz370nssp_12800_firmwaretz470wnsv_10tz370wnsa_5650nsa_4700_firmwarensv_870tz470_firmwarensa_6700_firmwaretz600_firmwarenssp_10700nsv_10_firmwarensa_9650tz350_firmwarensa_4650_firmwarensv_100_firmwarensa_6700nsa_3650_firmwarensa_9250tz350wnsa_9450nsv_25tz300wtz570_firmwarensa_6650nssp_12800nsa_4650nssp_11700tz400wtz570nsv_400_firmwaretz470tz600pnsv_870_firmwaretz500w_firmwarensv_800_firmwarensa_3650nsa_5700nsv_200nsa_4700nsa_5700_firmwaretz370w_firmwaretz570wtz370_firmwaretz570pnsv_800nsv_470_firmwarensv_300nsa_9250_firmwarensv_1600_firmwaretz570w_firmwarensa_5650_firmwaretz500tz400_firmwarensv_270_firmwareSonicOS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-56223
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.43% / 34.81%
||
7 Day CHG+0.01%
Published-20 Oct, 2025 | 00:00
Updated-05 Jul, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.

Action-Not Available
Vendor-ascertian/a
Product-signinghubn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-21822
Matching Score-4
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-4
Assigner-NVIDIA Corporation
CVSS Score-7.5||HIGH
EPSS-1.04% / 60.21%
||
7 Day CHG+0.02%
Published-17 Mar, 2022 | 20:30
Updated-03 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA FLARE contains a vulnerability in the admin interface, where an un-authorized attacker can cause Allocation of Resources Without Limits or Throttling, which may lead to cause system unavailable.

Action-Not Available
Vendor-NVIDIA Corporation
Product-federated_learning_application_runtime_environmentNVIDIA FLARE
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-21716
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-3.51% / 87.89%
||
7 Day CHG-0.10%
Published-03 Mar, 2022 | 00:00
Updated-22 Apr, 2025 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Buffer Overflow in Twisted

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.

Action-Not Available
Vendor-twistedtwistedFedora ProjectDebian GNU/LinuxOracle Corporation
Product-http_serverdebian_linuxfedorazfs_storage_appliance_kittwistedtwisted
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-13306
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-3.7||LOW
EPSS-1.83% / 76.44%
||
7 Day CHG~0.00%
Published-14 Sep, 2020 | 21:28
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-13250
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.85% / 85.14%
||
7 Day CHG~0.00%
Published-11 Jun, 2020 | 19:16
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service. Fixed in 1.6.6 and 1.7.4.

Action-Not Available
Vendor-n/aHashiCorp, Inc.
Product-consuln/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-13114
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.30% / 81.38%
||
7 Day CHG~0.00%
Published-21 May, 2020 | 15:50
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in libexif before 0.6.22. An unrestricted size in handling Canon EXIF MakerNote data could lead to consumption of large amounts of compute time for decoding EXIF data.

Action-Not Available
Vendor-libexif_projectn/aCanonical Ltd.openSUSE
Product-ubuntu_linuxlibexifleapn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-55102
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-8.7||HIGH
EPSS-0.36% / 28.20%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 15:25
Updated-02 Apr, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadx_netx_duoEclipse ThreadX - NetX Duo
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-404
Improper Resource Shutdown or Release
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-32031
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.56% / 42.70%
||
7 Day CHG~0.00%
Published-07 Apr, 2025 | 20:41
Updated-01 Aug, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass

Apollo Gateway provides utilities for combining multiple GraphQL microservices into a single GraphQL endpoint. Prior to 2.10.1, a vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. The query planner includes an optimization that significantly speeds up planning for applicable GraphQL selections. However, queries with deeply nested and reused named fragments can generate many selections where this optimization does not apply, leading to significantly longer planning times. Because the query planner does not enforce a timeout, a small number of such queries can render gateway inoperable. This could lead to excessive resource consumption and denial of service. This has been remediated in @apollo/gateway version 2.10.1.

Action-Not Available
Vendor-apollographqlapollographql
Product-apollo_gatewayfederation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-54939
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.77% / 51.38%
||
7 Day CHG~0.00%
Published-01 Aug, 2025 | 00:00
Updated-27 Aug, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.

Action-Not Available
Vendor-litespeedtechlitespeedtech
Product-litespeed_web_adclsquicopenlitespeedlitespeed_web_serverLSQUIC
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-55163
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.2||HIGH
EPSS-1.05% / 60.42%
||
7 Day CHG+0.07%
Published-13 Aug, 2025 | 14:17
Updated-04 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Netty MadeYouReset HTTP/2 DDoS Vulnerability

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

Action-Not Available
Vendor-The Netty Project
Product-nettynetty
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-54879
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.54% / 41.58%
||
7 Day CHG~0.00%
Published-05 Aug, 2025 | 23:39
Updated-26 Aug, 2025 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mastodon e‑mail throttle misconfiguration allows unlimited email confirmations against unconfirmed emails

Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3.

Action-Not Available
Vendor-joinmastodonmastodon
Product-mastodonmastodon
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-55197
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.6||MEDIUM
EPSS-0.44% / 35.44%
||
7 Day CHG+0.03%
Published-13 Aug, 2025 | 23:03
Updated-15 Aug, 2025 | 20:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pypdf's Manipulated FlateDecode streams can exhaust RAM

pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.

Action-Not Available
Vendor-pypdf_projectpy-pdf
Product-pypdfpypdf
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-11612
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-9.44% / 94.87%
||
7 Day CHG~0.00%
Published-07 Apr, 2020 | 18:00
Updated-04 Aug, 2024 | 11:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Action-Not Available
Vendor-n/aThe Netty ProjectNetApp, Inc.Debian GNU/LinuxFedora ProjectOracle Corporation
Product-communications_cloud_native_core_service_communication_proxysiebel_core_-_server_frameworkdebian_linuxoncommand_api_servicescommunications_messaging_servernettynosql_databasecommunications_design_studiofedoraoncommand_workflow_automationcommunications_brm_-_elastic_charging_enginewebcenter_portaloncommand_insightn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-54320
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 24.16%
||
7 Day CHG+0.03%
Published-18 Nov, 2025 | 00:00
Updated-20 Nov, 2025 | 19:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating invite requests.

Action-Not Available
Vendor-ascertian/a
Product-signinghubn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53530
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.39% / 31.49%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 17:00
Updated-10 Jul, 2025 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeGIA allows Uncontrolled Resource Consumption via the errorstr parameter

WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the errorstr parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.

Action-Not Available
Vendor-wegiaLabRedesCefetRJ
Product-wegiaWeGIA
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53634
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.44% / 35.95%
||
7 Day CHG~0.00%
Published-10 Jul, 2025 | 19:39
Updated-14 Aug, 2025 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chall-Manager's HTTP Gateway have no header check timeout leading to potential slow loris attacks

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. The HTTP Gateway processes headers, but with no timeout set. With a slow loris attack, an attacker could cause Denial of Service (DoS). Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 1385bd8 and shipped in v0.1.4.

Action-Not Available
Vendor-ctfer-ioctfer-io
Product-chall-managerchall-manager
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53531
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.7||HIGH
EPSS-0.39% / 31.49%
||
7 Day CHG~0.00%
Published-07 Jul, 2025 | 17:02
Updated-10 Jul, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WeGIA allows Uncontrolled Resource Consumption via the fid parameter

WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0.

Action-Not Available
Vendor-wegiaLabRedesCefetRJ
Product-wegiaWeGIA
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-53629
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.51% / 39.84%
||
7 Day CHG~0.00%
Published-10 Jul, 2025 | 19:46
Updated-06 Aug, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
cpp-httplib Unbounded Memory Allocation in Chunked/No-Length Requests Vulnerability

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.23.0, incoming requests using Transfer-Encoding: chunked in the header can allocate memory arbitrarily in the server, potentially leading to its exhaustion. This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is related to CVE-2025-53628.

Action-Not Available
Vendor-yhiroseyhirose
Product-cpp-httplibcpp-httplib
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-10758
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-2.24% / 80.89%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 15:05
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-single_sign-onopenshift_application_runtimeskeycloakKeycloak
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34396
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-5.47% / 91.86%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 07:50
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Struts: DoS via OOM owing to no sanity limit on normal form fields in multipart forms

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

Action-Not Available
Vendor-The Apache Software Foundation
Product-strutsApache Struts
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-6516
Matching Score-4
Assigner-Internet Systems Consortium (ISC)
ShareView Details
Matching Score-4
Assigner-Internet Systems Consortium (ISC)
CVSS Score-7.5||HIGH
EPSS-1.10% / 61.90%
||
7 Day CHG~0.00%
Published-13 Feb, 2024 | 14:05
Updated-13 Feb, 2025 | 17:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Specific recursive query patterns may lead to an out-of-memory condition

To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the resolver is continuously processing query patterns triggering this type of cache-database maintenance, `named` may not be able to handle the cleanup events in a timely manner. This in turn enables the list of queued cleanup events to grow infinitely large over time, allowing the configured `max-cache-size` limit to be significantly exceeded. This issue affects BIND 9 versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1.

Action-Not Available
Vendor-NetApp, Inc.Internet Systems Consortium, Inc.
Product-bindactive_iq_unified_managerBIND 9bind
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34166
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-7.5||HIGH
EPSS-0.43% / 35.16%
||
7 Day CHG~0.00%
Published-19 Jun, 2023 | 00:00
Updated-12 Dec, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability of system restart triggered by abnormal callbacks passed to APIs.Successful exploitation of this vulnerability may cause the system to restart.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-emuiHarmonyOSEMUI
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-10364
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.59% / 83.59%
||
7 Day CHG~0.00%
Published-23 Mar, 2020 | 15:56
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections, and cause a reboot via connect and write system calls, because of uncontrolled resource management.

Action-Not Available
Vendor-n/aMikroTik
Product-powerboxhex_sccr1036-12g-4sccr1036-8g-2s\+rb2011uias-rmccr1016-12s-1s\+rb2011il-inrouteroshex_poe_literb2011ils-inhex_poerb2011il-rmrb2011uias-inhexccr1009-7g-1c-1s\+pcccr1072-1g-8s\+rb1100ahx4rb3011uias-rmrb4011igs\+rmpowerbox_proccr1036-8g-2s\+emhex_liteccr1036-12g-4s-emccr1009-7g-1c-pcccr1016-12gccr1009-7g-1c-1s\+n/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34149
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-5.40% / 91.79%
||
7 Day CHG~0.00%
Published-14 Jun, 2023 | 07:48
Updated-13 Feb, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Struts: DoS via OOM owing to not properly checking of list bounds

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

Action-Not Available
Vendor-The Apache Software Foundation
Product-strutsApache Struts
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-15383
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-2.49% / 82.87%
||
7 Day CHG~0.00%
Published-05 Oct, 2018 | 14:00
Updated-26 Nov, 2024 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability

A vulnerability in the cryptographic hardware accelerator driver of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a temporary denial of service (DoS) condition. The vulnerability exists because the affected devices have a limited amount of Direct Memory Access (DMA) memory and the affected software improperly handles resources in low-memory conditions. An attacker could exploit this vulnerability by sending a sustained, high rate of malicious traffic to an affected device to exhaust memory on the device. A successful exploit could allow the attacker to exhaust DMA memory on the affected device, which could cause the device to reload and result in a temporary DoS condition.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-firepower_threat_defenseadaptive_security_appliance_softwareCisco Adaptive Security Appliance (ASA) Software
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2020-10705
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.19% / 64.51%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 19:29
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.

Action-Not Available
Vendor-n/aRed Hat, Inc.NetApp, Inc.
Product-openshift_application_runtimesenterprise_linuxundertowjboss_enterprise_application_platformoncommand_insightUndertow
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-34455
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.76% / 75.51%
||
7 Day CHG~0.00%
Published-15 Jun, 2023 | 17:15
Updated-13 Feb, 2025 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
snappy-java's unchecked chunk length leads to DoS

snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1. The code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk. In the case that the `compressed` variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the `chunkSize` variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error. Version 1.1.10.1 contains a patch for this issue.

Action-Not Available
Vendor-xerialxerial
Product-snappy-javasnappy-java
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-3246
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 41.06%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 12:01
Updated-20 Nov, 2025 | 04:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-3171
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.85% / 54.10%
||
7 Day CHG~0.00%
Published-27 Dec, 2023 | 15:45
Updated-02 Aug, 2024 | 06:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eap-7: heap exhaustion via deserialization

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_enterprise_application_platformenterprise_linuxRed Hat JBoss Enterprise Application Platform 7.4 on RHEL 7EAP 7.4.13Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-32186
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-7.5||HIGH
EPSS-0.58% / 43.77%
||
7 Day CHG~0.00%
Published-19 Sep, 2023 | 09:32
Updated-25 Sep, 2024 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Allocation of Resources Without Limits or Throttling vulnerability in SUSE RKE2 allows attackers with access to K3s servers apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects RKE2: from 1.24.0 before 1.24.17+rke2r1, from v1.25.0 before v1.25.13+rke2r1, from v1.26.0 before v1.26.8+rke2r1, from v1.27.0 before v1.27.5+rke2r1, from v1.28.0 before v1.28.1+rke2r1.

Action-Not Available
Vendor-SUSE
Product-rancher_rke2RKE2rke2
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-52494
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 25.24%
||
7 Day CHG~0.00%
Published-03 Sep, 2025 | 00:00
Updated-08 Sep, 2025 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.

Action-Not Available
Vendor-adacoren/a
Product-ada_web_servern/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-47791
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-4.6||MEDIUM
EPSS-0.47% / 37.47%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 23:25
Updated-30 Jan, 2026 | 00:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service

SmartFTP Client 10.0.2909.0 contains multiple denial of service vulnerabilities that allow attackers to crash the application through specific input manipulation. Attackers can trigger crashes by entering malformed paths, using invalid IP addresses, or clearing connection history in the client's interface.

Action-Not Available
Vendor-smartftpSmartftp
Product-smartftpSmartFTP Client
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-32187
Matching Score-4
Assigner-SUSE
ShareView Details
Matching Score-4
Assigner-SUSE
CVSS Score-7.5||HIGH
EPSS-0.60% / 44.98%
||
7 Day CHG~0.00%
Published-18 Sep, 2023 | 12:04
Updated-25 Sep, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Allocation of Resources Without Limits or Throttling vulnerability in SUSE k3s allows attackers with access to K3s servers' apiserver/supervisor port (TCP 6443) cause denial of service. This issue affects k3s: from v1.24.0 before v1.24.17+k3s1, from v1.25.0 before v1.25.13+k3s1, from v1.26.0 before v1.26.8+k3s1, from sev1.27.0 before v1.27.5+k3s1, from v1.28.0 before v1.28.1+k3s1.

Action-Not Available
Vendor-k3sk3sSUSE
Product-k3sk3sk3s
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-30636
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.95% / 57.42%
||
7 Day CHG~0.00%
Published-13 Apr, 2023 | 00:00
Updated-07 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TiKV 6.1.2 allows remote attackers to cause a denial of service (fatal error, with RpcStatus UNAVAILABLE for "not leader") upon an attempt to start a node in a situation where the context deadline is exceeded

Action-Not Available
Vendor-tikvn/a
Product-tikvn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-5963
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-3.1||LOW
EPSS-0.48% / 38.56%
||
7 Day CHG~0.00%
Published-06 Nov, 2023 | 12:18
Updated-04 Jun, 2026 | 04:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-5419
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-8.67% / 94.53%
||
7 Day CHG~0.00%
Published-27 Mar, 2019 | 13:43
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Action-Not Available
Vendor-Fedora ProjectDebian GNU/LinuxRuby on RailsopenSUSERed Hat, Inc.
Product-debian_linuxsoftware_collectionsfedoracloudformsrailsleaphttps://github.com/rails/rails
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-30551
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.05% / 60.44%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 15:52
Updated-29 Jan, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rekor's compressed archives can result in OOM conditions

Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

Action-Not Available
Vendor-sigstoreThe Linux Foundation
Product-rekorrekor
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-30455
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.05% / 60.38%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 00:00
Updated-30 Jan, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in ebankIT before 7. A Denial-of-Service attack is possible through the GET parameter EStatementsIds located on the /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint. The GET parameter accepts over 100 comma-separated e-statement IDs without throwing an error. When this many IDs are supplied, the server takes around 60 seconds to respond and successfully generate the expected ZIP archive (during this time period, no other pages load). A threat actor could issue a request to this endpoint with 100+ statement IDs every 30 seconds, potentially resulting in an overload of the server for all users.

Action-Not Available
Vendor-ebankitn/a
Product-ebankitn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-5439
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-0.43% / 34.53%
||
7 Day CHG~0.00%
Published-09 Apr, 2026 | 14:44
Updated-15 Apr, 2026 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Exhaustion via Forged ZIP Metadata

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

Action-Not Available
Vendor-orthanc-serverOrthanc
Product-orthancDICOM Server
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-29779
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.23% / 65.58%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-03 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sengled Dimmer Switch V0.0.9 contains a denial of service (DOS) vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes. After receiving the malicious command, the device will keep reporting its status and finally drain its battery after receiving the 'Set_short_poll_interval' command.

Action-Not Available
Vendor-sengledn/a
Product-e1e-g7fe1e-g7f_firmwaren/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-54365
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-8.7||HIGH
EPSS-0.57% / 43.22%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 12:12
Updated-15 Jul, 2026 | 02:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Traefik - Denial of Service via HTTP/2 Request Handling

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.

Action-Not Available
Vendor-traefikTraefikRed Hat, Inc.Go
Product-traefikopenshift_aigoTraefikRed Hat OpenShift AI (RHOAI)Red Hat OpenShift Dev Spaces
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-5739
Matching Score-4
Assigner-Node.js
ShareView Details
Matching Score-4
Assigner-Node.js
CVSS Score-7.5||HIGH
EPSS-5.05% / 91.35%
||
7 Day CHG~0.00%
Published-28 Mar, 2019 | 16:27
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

Action-Not Available
Vendor-openSUSENode.js (OpenJS Foundation)
Product-node.jsleapNode.js
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-28356
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-0.72% / 49.71%
||
7 Day CHG~0.00%
Published-11 May, 2023 | 00:00
Updated-27 Jan, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the chat to enter a hot loop on one of the processes, consuming ~120% CPU and rendering the service unresponsive.

Action-Not Available
Vendor-rocket.chatn/a
Product-rocket.chatRocket.Chat
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-28338
Matching Score-4
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-4
Assigner-Tenable Network Security, Inc.
CVSS Score-7.5||HIGH
EPSS-0.63% / 46.00%
||
7 Day CHG~0.00%
Published-15 Mar, 2023 | 00:00
Updated-27 Feb, 2025 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Any request send to a Netgear Nighthawk Wifi6 Router (RAX30)'s web service containing a “Content-Type” of “multipartboundary=” will result in the request body being written to “/tmp/mulipartFile” on the device itself. A sufficiently large file will cause device resources to be exhausted, resulting in the device becoming unusable until it is rebooted.

Action-Not Available
Vendor-n/aNETGEAR, Inc.
Product-rax30_firmwarerax30NETGEAR Nighthawk WiFi6 Router (RAX30)
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-28882
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.73% / 50.16%
||
7 Day CHG~0.00%
Published-28 Apr, 2023 | 00:00
Updated-03 Jul, 2025 | 20:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.

Action-Not Available
Vendor-owaspn/a
Product-modsecurityn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-5043
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-5.3||MEDIUM
EPSS-0.67% / 47.98%
||
7 Day CHG~0.00%
Published-31 Oct, 2019 | 20:02
Updated-04 Aug, 2024 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An exploitable denial-of-service vulnerability exists in the Weave daemon of the Nest Cam IQ Indoor, version 4620002. A set of TCP connections can cause unrestricted resource allocation, resulting in a denial of service. An attacker can connect multiple times to trigger this vulnerability.

Action-Not Available
Vendor-n/aGoogle LLC
Product-nest_cam_iq_indoor_firmwarenest_cam_iq_indoorNest Labs
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-51846
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-8.7||HIGH
EPSS-0.58% / 43.76%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 16:35
Updated-04 May, 2026 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CryptPad unbounded WebSocket frame flood

CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2.

Action-Not Available
Vendor-CryptPadXWiki SAS
Product-cryptpadCryptPad
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-28104
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-1.05% / 60.61%
||
7 Day CHG~0.00%
Published-16 Mar, 2023 | 15:25
Updated-25 Feb, 2025 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
silverstripe/graphql Denial of Service vulnerability

`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.

Action-Not Available
Vendor-Silverstripe
Product-graphqlsilverstripe-graphql
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-28119
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.96% / 57.49%
||
7 Day CHG~0.00%
Published-22 Mar, 2023 | 19:51
Updated-25 Feb, 2025 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb

The crewjam/saml go library contains a partial implementation of the SAML standard in golang. Prior to version 0.4.13, the package's use of `flate.NewReader` does not limit the size of the input. The user can pass more than 1 MB of data in the HTTP request to the processing functions, which will be decompressed server-side using the Deflate algorithm. Therefore, after repeating the same request multiple times, it is possible to achieve a reliable crash since the operating system kills the process. This issue is patched in version 0.4.13.

Action-Not Available
Vendor-saml_projectcrewjam
Product-samlsaml
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 17
  • 18
  • Next
Details not found