Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-407 (算法复杂性) — Vulnerability Class 51

51 vulnerabilities classified as CWE-407 (算法复杂性). AI Chinese analysis included.

CWE-407 represents a software weakness characterized by inefficient algorithmic complexity, specifically where worst-case computational performance is unexpectedly poor. This vulnerability is typically exploited by attackers who craft specific inputs designed to trigger these worst-case scenarios, thereby causing denial of service or significant system degradation. By forcing the application to consume excessive CPU resources or memory, adversaries can disrupt service availability for legitimate users. To mitigate this risk, developers must prioritize algorithmic efficiency during the design phase, selecting data structures and logic that maintain consistent performance regardless of input characteristics. Rigorous testing with edge cases and fuzzing helps identify potential bottlenecks, while code reviews ensure that complex operations do not introduce quadratic or exponential time complexities that could be weaponized against the system.

MITRE CWE Description
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.
Examples (1)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2024-12243 Gnutls: gnutls impacted by inefficient der decoding in libtasn1 leading to remote dos 5.3 Medium2025-02-10
CVE-2024-12133 Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos 5.3 Medium2025-02-10
CVE-2024-9631 Inefficient Algorithmic Complexity in GitLab — GitLab 7.5 High2025-02-05
CVE-2024-6324 Inefficient Algorithmic Complexity in GitLab — GitLab 4.3 Medium2025-01-09
CVE-2024-8233 Inefficient Algorithmic Complexity in GitLab — GitLab 7.5 High2024-12-12
CVE-2024-11828 Inefficient Algorithmic Complexity in GitLab — GitLab 4.3 Medium2024-11-26
CVE-2024-8177 Inefficient Algorithmic Complexity in GitLab — GitLab 5.3 Medium2024-11-26
CVE-2024-8237 Inefficient Algorithmic Complexity in GitLab — GitLab 6.5 Medium2024-11-26
CVE-2020-3548 Cisco Email Security Appliance Denial Of Service Vulnerability — Cisco Secure Email 5.3 Medium2024-11-18
CVE-2024-43485 .NET and Visual Studio Denial of Service Vulnerability — PowerShell 7.2 7.5 High2024-10-08
CVE-2024-43484 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability — PowerShell 7.2 7.5 High2024-10-08
CVE-2024-43483 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability — PowerShell 7.2 7.5 High2024-10-08
CVE-2024-23684 upokecenter CBOR Denial of Service 7.5 -2024-01-19
CVE-2024-21909 Denial of service in CBOR library 7.5AIHighAI2024-01-03
CVE-2023-46136 Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning — werkzeug 8.0 High2023-10-24
CVE-2023-36810 Quadratic runtime with malformed PDF missing xref marker in pypdf — pypdf 6.2 Medium2023-06-30
CVE-2023-2473 Dreamer CMS Password Hash Calculation UserController.java updatePwd algorithmic complexity — Dreamer CMS 4.3 Medium2023-05-02
CVE-2022-36021 Redis string pattern matching can be abused to achieve Denial of Service — redis 5.5 Medium2023-03-01
CVE-2022-22153 SRX Series and MX Series with SPC3: A high percentage of fragments might lead to high latency or packet drops — Junos OS 7.5 High2022-01-19
CVE-2020-27223 Eclipse Jetty 资源管理错误漏洞 — Eclipse Jetty 5.2 Medium2021-02-26
CVE-2019-19331 Knot Resolver 安全漏洞 — knot-resolver 7.5 -2019-12-16

Vulnerabilities classified as CWE-407 (算法复杂性) represent 51 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.