Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-407 (算法复杂性) — Vulnerability Class 53

53 vulnerabilities classified as CWE-407 (算法复杂性). AI Chinese analysis included.

CWE-407 represents a software weakness characterized by inefficient algorithmic complexity, specifically where worst-case computational performance is unexpectedly poor. This vulnerability is typically exploited by attackers who craft specific inputs designed to trigger these worst-case scenarios, thereby causing denial of service or significant system degradation. By forcing the application to consume excessive CPU resources or memory, adversaries can disrupt service availability for legitimate users. To mitigate this risk, developers must prioritize algorithmic efficiency during the design phase, selecting data structures and logic that maintain consistent performance regardless of input characteristics. Rigorous testing with edge cases and fuzzing helps identify potential bottlenecks, while code reviews ensure that complex operations do not introduce quadratic or exponential time complexities that could be weaponized against the system.

MITRE CWE Description
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.
Examples (1)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2026-45186 libexpat<2.8.1 XML输入拒绝服务漏洞 — libexpat 2.9 Low2026-05-10
CVE-2026-42245 net-imap: Quadratic complexity when reading response literals — net-imap 7.5AIHighAI2026-05-09
CVE-2026-43967 Quadratic fragment-name uniqueness check causes denial of service in absinthe — absinthe 7.5AIHighAI2026-05-08
CVE-2026-40476 graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation — graphql-php 7.5AIHighAI2026-04-17
CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler — vikunja 6.5 Medium2026-04-10
CVE-2026-6042 musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity — libc 3.3 Low2026-04-10
CVE-2026-33033 Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload — Django 5.3AIMediumAI2026-04-07
CVE-2026-34827 Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser — rack 7.5 High2026-04-02
CVE-2026-31937 Suricata dcerpc: quadratic complexity in dcerpc buffering — suricata 7.5 High2026-04-02
CVE-2026-31934 Suricata smtp/mine: quadratic complexity in extracting urls — suricata 7.5 High2026-04-02
CVE-2026-31933 Suricata stream: quadratic complexity in stream inspection — suricata 7.5 High2026-04-02
CVE-2026-31932 Suricata krb5: quadratic complexity in krb5 buffering — suricata 7.5 High2026-04-02
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS — parse-server 7.5AIHighAI2026-03-31
CVE-2026-3988 Inefficient Algorithmic Complexity in GitLab — GitLab 7.5 High2026-03-25
CVE-2026-28804 pypdf: Inefficient decoding of ASCIIHexDecode streams — pypdf 6.5 -2026-03-06
CVE-2026-27903 minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments — minimatch 7.5 High2026-02-26
CVE-2025-14831 Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification — Red Hat Enterprise Linux 10 5.3 Medium2026-02-09
CVE-2025-14550 Potential denial-of-service vulnerability via repeated headers when using ASGI — Django 7.5 -2026-02-03
CVE-2026-1285 Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods — Django 7.5 -2026-02-03
CVE-2025-14822 DoS from quadratic complexity in model.ParseHashtags — Mattermost 3.1 Low2026-01-16
CVE-2025-64460 Potential denial-of-service vulnerability in XML serializer text extraction — Django 7.5AIHighAI2025-12-02
CVE-2025-66382 libexpat 安全漏洞 — libexpat 2.9 Low2025-11-28
CVE-2025-11230 Denial of service vulnerability in HAProxy mjson library — HAProxy Community Edition 7.5 High2025-11-19
CVE-2025-64458 Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows — Django 7.5 -2025-11-05
CVE-2025-62727 Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse — starlette 7.5 High2025-10-28
CVE-2025-55304 Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata — exiv2 5.5 -2025-08-29
CVE-2023-30421 mJson 安全漏洞 — mjson 2.9 Low2025-04-19
CVE-2025-29908 Netty QUIC hash collision DoS attack — netty-incubator-codec-quic 5.3 Medium2025-03-31
CVE-2025-30348 Qt 安全漏洞 — Qt 5.8 Medium2025-03-21
CVE-2025-24947 Litespeed Technologie LiteSpeed QUIC(LSQUIC) 安全漏洞 — LSQUIC 5.3 Medium2025-02-20

Vulnerabilities classified as CWE-407 (算法复杂性) represent 53 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.