Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-770 (不加限制或调节的资源分配) — Vulnerability Class 827

827 vulnerabilities classified as CWE-770 (不加限制或调节的资源分配). AI Chinese analysis included.

CWE-770 represents a critical resource management weakness where software allocates reusable resources, such as memory, file descriptors, or database connections, without enforcing limits or throttling mechanisms. This vulnerability typically arises when applications accept untrusted input or handle high-volume requests, allowing malicious actors to trigger excessive resource consumption. By rapidly requesting numerous resources, attackers can exhaust system capacity, leading to denial-of-service conditions that degrade performance or crash the entire service. To mitigate this risk, developers must implement strict quotas, rate limiting, and connection pooling strategies. Enforcing maximum thresholds for resource allocation ensures that no single user or process can monopolize system assets, thereby maintaining stability and availability even under heavy load or targeted abuse attempts.

MITRE CWE Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. It can be easy for an attacker to consume many resources by rapidly making many requests or causing larger resources to be used than is needed.
Mitigations (5)
RequirementsClearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
Architecture and DesignLimit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Architecture and DesignDesign throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected …
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Examples (2)
This code allocates a socket and forks each time it receives a new connection.
sock=socket(AF_INET, SOCK_STREAM, 0); while (1) { newsock=accept(sock, ...); printf("A connection has been accepted\n"); pid = fork(); }
Bad · C
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the da…
int writeDataFromSocketToFile(char *host, int port) { char filename[FILENAME_SIZE]; char buffer[BUFFER_SIZE]; int socket = openSocketConnection(host, port); if (socket < 0) { printf("Unable to open socket connection"); return(FAIL); } if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { if (openFileToWrite(filename) > 0) { while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){ if (!(writeToFile(buffer) > 0)) break; } } closeFile(); } closeSocket(socket); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-13436 Allocation of Resources Without Limits or Throttling in GitLab — GitLab 6.5 Medium2026-03-25
CVE-2026-29772 Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands — astro 5.9 Medium2026-03-24
CVE-2026-3260 Undertow: undertow: denial of service due to premature multipart/form-data parsing in get requests — Red Hat build of Apache Camel for Spring Boot 4 5.9 Medium2026-03-24
CVE-2026-33241 Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing — salvo 7.5 -2026-03-23
CVE-2026-33483 AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php — AVideo 7.5 High2026-03-23
CVE-2026-32049 OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass — OpenClaw 7.5 High2026-03-21
CVE-2026-33012 Micronaut Framework vulnerable to a Denial of Service in HTML error response caching — micronaut-core 7.5 High2026-03-20
CVE-2026-32941 Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports — sliver 6.5 -2026-03-20
CVE-2026-32011 OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing — OpenClaw 7.5 High2026-03-19
CVE-2026-28461 OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn — OpenClaw 7.5 High2026-03-19
CVE-2026-29112 @dicebear/converter vulnerable to ncontrolled memory allocation via crafted SVG dimensions — dicebear 7.5 High2026-03-18
CVE-2026-27979 Next.js: Unbounded postponed resume buffering can lead to DoS — next.js 5.4 -2026-03-18
CVE-2026-1376 IBM i Denial of Service — i 7.5 High2026-03-17
CVE-2026-24458 DoS attack via login attempts with multi-megabyte passwords — Mattermost 7.5 High2026-03-16
CVE-2026-30961 Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload — Gokapi 4.3 Medium2026-03-13
CVE-2026-2581 undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS — undici 5.9 Medium2026-03-12
CVE-2026-31961 Unbounded memory allocation in Quill via unvalidated size fields in Mach-O binary parsing — quill 5.5 Medium2026-03-11
CVE-2026-31960 DoS in Quill via unbounded read of HTTP response body during notarization — quill 5.3 Medium2026-03-11
CVE-2019-25464 InputMapper 1.6.10 Local Denial of Service via Username Field — InputMapper 5.5 Medium2026-03-11
CVE-2026-31866 Allocation of Resources Without Limits or Throttling in flagd — flagd 7.5 High2026-03-11
CVE-2025-12576 Allocation of Resources Without Limits or Throttling in GitLab — GitLab 6.5 Medium2026-03-11
CVE-2025-13690 Allocation of Resources Without Limits or Throttling in GitLab — GitLab 6.5 Medium2026-03-11
CVE-2025-13929 Allocation of Resources Without Limits or Throttling in GitLab — GitLab 7.5 High2026-03-11
CVE-2026-32062 OpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media Stream — openclaw 7.5 High2026-03-11
CVE-2026-31826 pypdf: manipulated stream length values can exhaust RAM — pypdf 4.3 -2026-03-10
CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API — parse-server 7.5AIHighAI2026-03-10
CVE-2026-26130 ASP.NET Core Denial of Service Vulnerability — ASP.NET Core 10.0 7.5 High2026-03-10
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers) — express-rate-limit 7.5 High2026-03-07
CVE-2026-29795 stellar-xdr: `StringM::from_str` bypasses max length validation — rs-stellar-xdr 4.0 Medium2026-03-06
CVE-2026-29062 jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion — jackson-core 7.5 -2026-03-06

Vulnerabilities classified as CWE-770 (不加限制或调节的资源分配) represent 827 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.