kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted...

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion...

.NET and Visual Studio Denial of Service Vulnerability

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows...

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service (DoS) type vulnerability. ...

MobSF is a mobile application security testing tool used. Typically, MobSF is deployed on centralized internal or cloud-based servers that also host other security tools and web applications. Access t...

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled (which is the default setting), a...

IBM Concert Software 1.0.0 through 1.0.5 could allow an authenticated user to cause a denial of service due to the expansion of archive files without controlling resource consumption.

Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by i...

A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an ...

HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 jobs using a maliciously compressed artifact stanza source can cause excessive disk usage. Fixed in 1.2.16, 1.3.9, and 1.4.4.

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. ...

In Splunk Enterprise and Universal Forwarder versions in the following table, indexing a specially crafted ZIP file using the file monitoring input can result in a crash of the application. Attempts t...

gosaml2 is a Pure Go implementation of SAML 2.0. SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library en...

IBM PowerVM Hypervisor FW1050.00 through FW1050.30 and FW1060.00 through FW1060.20 could allow a local user, under certain Linux processor combability mode configurations, to cause undetected data los...

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): through <=2.2.0. Users are recommended to upg...

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memo...