Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-407 (算法复杂性) — Vulnerability Class 58

58 vulnerabilities classified as CWE-407 (算法复杂性). AI Chinese analysis included.

CWE-407 represents a software weakness characterized by inefficient algorithmic complexity, specifically where worst-case computational performance is unexpectedly poor. This vulnerability is typically exploited by attackers who craft specific inputs designed to trigger these worst-case scenarios, thereby causing denial of service or significant system degradation. By forcing the application to consume excessive CPU resources or memory, adversaries can disrupt service availability for legitimate users. To mitigate this risk, developers must prioritize algorithmic efficiency during the design phase, selecting data structures and logic that maintain consistent performance regardless of input characteristics. Rigorous testing with edge cases and fuzzing helps identify potential bottlenecks, while code reviews ensure that complex operations do not introduce quadratic or exponential time complexities that could be weaponized against the system.

MITRE CWE Description
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.
Examples (1)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2026-44378 Botan: Quadratic complexity decoding BER indefinite length encodings — botan--2026-05-27
CVE-2026-48959 IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward — IO::Uncompress::Unzip--2026-05-27
CVE-2026-44390 Unbounded name compression in certain cases causes degradation of service — Unbound--2026-05-20
CVE-2026-42923 Degradation of service with unbounded NSEC3 hash calculations — Unbound--2026-05-20
CVE-2026-41292 Long list of incoming EDNS options degrades performance — Unbound--2026-05-20
CVE-2026-45186 libexpat 安全漏洞 — libexpat 2.9 Low2026-05-10
CVE-2026-42245 net-imap: Quadratic complexity when reading response literals — net-imap 7.5 -2026-05-09
CVE-2026-43967 Quadratic fragment-name uniqueness check causes denial of service in absinthe — absinthe 7.5AIHighAI2026-05-08
CVE-2026-40476 graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation — graphql-php 7.5AIHighAI2026-04-17
CVE-2026-35599 Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler — vikunja 6.5 Medium2026-04-10
CVE-2026-6042 musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity — libc 3.3 Low2026-04-10
CVE-2026-33033 Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload — Django 5.3AIMediumAI2026-04-07
CVE-2026-34827 Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser — rack 7.5 High2026-04-02
CVE-2026-31937 Suricata dcerpc: quadratic complexity in dcerpc buffering — suricata 7.5 High2026-04-02
CVE-2026-31934 Suricata smtp/mine: quadratic complexity in extracting urls — suricata 7.5 High2026-04-02
CVE-2026-31933 Suricata stream: quadratic complexity in stream inspection — suricata 7.5 High2026-04-02
CVE-2026-31932 Suricata krb5: quadratic complexity in krb5 buffering — suricata 7.5 High2026-04-02
CVE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS — parse-server 7.5AIHighAI2026-03-31
CVE-2026-3988 Inefficient Algorithmic Complexity in GitLab — GitLab 7.5 High2026-03-25
CVE-2026-28804 pypdf: Inefficient decoding of ASCIIHexDecode streams — pypdf 6.5 -2026-03-06
CVE-2026-27903 minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments — minimatch 7.5 High2026-02-26
CVE-2025-14831 Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification — Red Hat Enterprise Linux 10 5.3 Medium2026-02-09
CVE-2025-14550 Potential denial-of-service vulnerability via repeated headers when using ASGI — Django 7.5 -2026-02-03
CVE-2026-1285 Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods — Django 7.5 -2026-02-03
CVE-2025-14822 DoS from quadratic complexity in model.ParseHashtags — Mattermost 3.1 Low2026-01-16
CVE-2025-64460 Potential denial-of-service vulnerability in XML serializer text extraction — Django 7.5AIHighAI2025-12-02
CVE-2025-66382 libexpat 安全漏洞 — libexpat 2.9 Low2025-11-28
CVE-2025-11230 Denial of service vulnerability in HAProxy mjson library — HAProxy Community Edition 7.5 High2025-11-19
CVE-2025-64458 Potential denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows — Django 7.5 -2025-11-05
CVE-2025-62727 Starlette vulnerable to O(n^2) DoS via Range header merging in starlette.responses.FileResponse — starlette 7.5 High2025-10-28

Vulnerabilities classified as CWE-407 (算法复杂性) represent 58 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.