Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-770 (不加限制或调节的资源分配) — Vulnerability Class 909

909 vulnerabilities classified as CWE-770 (不加限制或调节的资源分配). AI Chinese analysis included.

CWE-770 represents a critical resource management weakness where software allocates reusable resources, such as memory, file descriptors, or database connections, without enforcing limits or throttling mechanisms. This vulnerability typically arises when applications accept untrusted input or handle high-volume requests, allowing malicious actors to trigger excessive resource consumption. By rapidly requesting numerous resources, attackers can exhaust system capacity, leading to denial-of-service conditions that degrade performance or crash the entire service. To mitigate this risk, developers must implement strict quotas, rate limiting, and connection pooling strategies. Enforcing maximum thresholds for resource allocation ensures that no single user or process can monopolize system assets, thereby maintaining stability and availability even under heavy load or targeted abuse attempts.

MITRE CWE Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. It can be easy for an attacker to consume many resources by rapidly making many requests or causing larger resources to be used than is needed.
Mitigations (5)
RequirementsClearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
Architecture and DesignLimit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
Architecture and DesignDesign throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected …
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Examples (2)
This code allocates a socket and forks each time it receives a new connection.
sock=socket(AF_INET, SOCK_STREAM, 0); while (1) { newsock=accept(sock, ...); printf("A connection has been accepted\n"); pid = fork(); }
Bad · C
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the da…
int writeDataFromSocketToFile(char *host, int port) { char filename[FILENAME_SIZE]; char buffer[BUFFER_SIZE]; int socket = openSocketConnection(host, port); if (socket < 0) { printf("Unable to open socket connection"); return(FAIL); } if (getNextMessage(socket, filename, FILENAME_SIZE) > 0) { if (openFileToWrite(filename) > 0) { while (getNextMessage(socket, buffer, BUFFER_SIZE) > 0){ if (!(writeToFile(buffer) > 0)) break; } } closeFile(); } closeSocket(socket); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-53522 Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS — nezha 6.5 Medium2026-06-12
CVE-2026-50560 Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature — netty--2026-06-12
CVE-2026-48748 Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion — netty 7.5 High2026-06-12
CVE-2026-46340 Netty: SCTP reassembly nests buffers without bound — netty 7.5 High2026-06-12
CVE-2026-45416 Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes — netty 7.5 High2026-06-12
CVE-2026-49347 Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown — questbot--2026-06-12
CVE-2026-53781 Summarize < 0.17.0 Disk Exhaustion via Uncapped Media Download — summarize 4.3 Medium2026-06-11
CVE-2026-45802 FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service — FPDI--2026-06-11
CVE-2026-44488 Axios: Allocation of Resources Without Limits or Throttling in axios — axios 7.5 High2026-06-11
CVE-2026-53423 Unauthenticated denial-of-service via BEAM atom table exhaustion in membrane_mp4_plugin — membrane_mp4_plugin--2026-06-11
CVE-2026-1500 Allocation of Resources Without Limits or Throttling in GitLab — GitLab 6.5 Medium2026-06-11
CVE-2026-7250 Allocation of Resources Without Limits or Throttling in GitLab — GitLab 7.5 High2026-06-11
CVE-2026-53460 ImageMagick: Policy Bypass can trigger out-of-Memory condition — ImageMagick 7.5 High2026-06-10
CVE-2026-46702 Russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets — russh 7.5 High2026-06-10
CVE-2026-46673 Russh: Unchecked CryptoVec allocation and growth handling is reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releases — russh 7.5 High2026-06-10
CVE-2026-10740 Excessive memory allocation in s2n-quic — s2n-quic 5.3 Medium2026-06-10
CVE-2026-24720 File Station 5 — File Station 5--2026-06-10
CVE-2026-41726 In Spring for Apache Kafka, unbounded delegate cache keyed on user-controlled, potentially malicious selector header — Spring for Apache Kafka 6.5 Medium2026-06-09
CVE-2026-41716 Spring Data web support unbounded negative-result cache keyed on attacker-supplied property names — Spring Data Commons 7.5 High2026-06-09
CVE-2026-28237 AMD uProf 资源分配漏洞影响可用性 — AMD µProf--2026-06-09
CVE-2026-42570 Svelte devalue: DoS via sparse array deserialization — devalue 7.5 High2026-06-09
CVE-2026-49955 Hermes WebUI < 0.51.270 Resource Exhaustion via passkey/options — hermes-webui 5.3 Medium2026-06-09
CVE-2026-41007 Spring HATEOAS heap exhaustion through unbounded internal caching — Spring HATEOAS 7.5 High2026-06-09
CVE-2026-41851 Spring Framework Denial of Service via Unbounded Cache in SpEL — Spring Framework 5.3 Medium2026-06-09
CVE-2026-41710 Cache Exhaustion in Stateful Retries leads to Denial of Service — Spring Retry 5.9 Medium2026-06-09
CVE-2026-43973 gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion — gun--2026-06-08
CVE-2026-45290 Cloudburst Network has DoS in RakNet connection handling due to missing bound checks — Network 7.5 High2026-06-05
CVE-2026-50589 OpenStack Ironic多个版本JSON-RPC服务拒绝服务漏洞 — Ironic 5.3 Medium2026-06-04
CVE-2026-40898 quic-go: HTTP/3 QPACK Trailer Expansion Memory Exhaustion — quic-go 5.3 Medium2026-06-04
CVE-2025-46638 Dell BSAFE SSL-J资源分配无限制导致DoS漏洞 — BSAFE SSL-J 7.5 High2026-06-04

Vulnerabilities classified as CWE-770 (不加限制或调节的资源分配) represent 909 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.