Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-405 (不对称的资源消耗(放大攻击)) — Vulnerability Class 33

33 vulnerabilities classified as CWE-405 (不对称的资源消耗(放大攻击)). AI Chinese analysis included.

CWE-405 represents an asymmetric resource consumption weakness where an attacker triggers disproportionate system resource usage without expending equivalent computational effort. This vulnerability is typically exploited through amplification attacks, such as reflection or protocol-based exploits, where a small input causes the system to generate a massive volume of responses or processing tasks. The resulting non-linear resource spike often leads to denial-of-service conditions, degrading performance for legitimate users or causing complete system crashes. To mitigate this risk, developers must implement strict rate limiting, enforce request quotas, and validate input complexity before processing. Additionally, employing resource caps, timeout mechanisms, and efficient algorithmic designs ensures that external inputs cannot disproportionately impact system stability, thereby maintaining availability and preventing attackers from leveraging asymmetry for disruptive effects.

MITRE CWE Description
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Common Consequences (1)
AvailabilityDoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
Mitigations (3)
Architecture and DesignAn application must make resources available to a client commensurate with the client's access level.
Architecture and DesignAn application must, at all times, keep track of allocated resources and meter their usage appropriately.
System ConfigurationConsider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Effectiveness: High
Examples (2)
This code listens on a port for DNS requests and sends the result to the requesting address.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.bind( (UDP_IP,UDP_PORT) ) while true: data = sock.recvfrom(1024) if not data: break (requestIP, nameToResolve) = parseUDPpacket(data) record = resolveName(nameToResolve) sendResponse(requestIP,record)
Bad · Python
This function prints the contents of a specified file requested by a user.
function printFile($username,$filename){ //read file into string $file = file_get_contents($filename); if ($file && isOwnerOf($username,$filename)){ echo $file; return true; } else{ echo 'You are not authorized to view this file'; } return false; }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-35665 OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing — OpenClaw 5.3 Medium2026-04-10
CVE-2026-35626 OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook — OpenClaw 5.3 Medium2026-04-09
CVE-2026-25611 Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server — MongoDB Server 7.5 High2026-02-10
CVE-2026-24324 Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools) — SAP BusinessObjects Business Intelligence Platform (AdminTools) 6.5 Medium2026-02-10
CVE-2026-0485 Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform — SAP BusinessObjects BI Platform 7.5 High2026-02-10
CVE-2026-22775 devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse — devalue 7.5 High2026-01-15
CVE-2026-22774 devalue vulnerable to denial of service due to memory exhaustion in devalue.parse — devalue 7.5 High2026-01-15
CVE-2025-68480 Marshmallow has DoS in Schema.load(many) — marshmallow 5.3 Medium2025-12-22
CVE-2025-42876 Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger) — SAP S/4 HANA Private Cloud (Financials General Ledger) 7.1 High2025-12-09
CVE-2025-42874 Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius) — SAP NetWeaver (remote service for Xcelsius) 7.9 High2025-12-09
CVE-2025-42873 Denial of Service (DoS) in SAPUI5 framework (Markdown-it component) — SAPUI5 framework (Markdown-it component) 5.9 Medium2025-12-09
CVE-2025-66564 Sigstore Timestamp Authority allocates excessive memory during request parsing — timestamp-authority 7.5 High2025-12-04
CVE-2025-66506 Fulcio allocates excessive memory during token parsing — fulcio 7.5 High2025-12-04
CVE-2025-49643 Frontend DoS vulnerability due to asymmetric resource consumption — Zabbix 6.5AIMediumAI2025-12-01
CVE-2025-8677 Resource exhaustion via malformed DNSKEY handling — BIND 9 7.5 High2025-10-22
CVE-2025-26516 CVE-2025-26516 Denial of Service Vulnerability in StorageGRID (formerly StorageGRID Webscale) — StorageGRID 5.3 Medium2025-09-19
CVE-2025-31987 HCL Connections Docs is vulnerable to a Denial of Service (DoS) attack — Connections Docs 4.8 Medium2025-08-14
CVE-2025-53633 Chall-Manager's scenario decoding process does not check for zip bombs — chall-manager 9.1AICriticalAI2025-07-10
CVE-2025-30204 jwt-go allows excessive memory allocation during header parsing — jwt 7.5 High2025-03-21
CVE-2024-11187 Many records in the additional section cause CPU exhaustion — BIND 9 7.5 High2025-01-29
CVE-2025-24356 UDP traffic amplification via fastd's fast reconnect feature — fastd 7.5 -2025-01-27
CVE-2024-55628 Suricata oversized resource names utilizing DNS name compression can lead to resource starvation — suricata 7.5 High2025-01-06
CVE-2024-49363 Uncontrolled Recursion and Asymmetric Resource Consumption (Amplification) in media/file proxy in Misskey — misskey 7.4 High2024-12-18
CVE-2024-45590 body-parser vulnerable to denial of service when url encoding is enabled — body-parser 7.5 High2024-09-10
CVE-2024-40705 IBM InfoSphere Information Server denial of service — InfoSphere Information Server 6.5 Medium2024-08-15
CVE-2024-34702 Botan has a Denial of Service Due to Excessive Name Constraints — botan 5.3 Medium2024-07-08
CVE-2024-39743 IBM MQ Container denial of service — MQ Operator 5.9 Medium2024-07-08
CVE-2024-34703 Botan Vulnerable to Denial of Service Due to Overly Large Elliptic Curve Parameters — botan 7.5 High2024-06-30
CVE-2024-0450 Quoted zip-bomb protection for zipfile — CPython 6.2 Medium2024-03-19
CVE-2024-28214 nGrinder 安全漏洞 — nGrinder 7.5AIHighAI2024-03-07

Vulnerabilities classified as CWE-405 (不对称的资源消耗(放大攻击)) represent 33 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.