curl: curl_easy_header runs at O(N) or worse and can be abused to use minute(s) of CPU time

Summary: The implementation of curleasyheader can be abused by a malicious server that puts all headers under a single key. Imagine a server response like: HTTP/1.1 200 OK a: a: a: a: repeat until MAXHTTPRESPHEADERSIZE bytes are used As a developer, if you want to loop through the headers you do...

CVE-2025-46560

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens...

CVE-2025-46560 vLLM phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens...

PT-2025-18217 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.8.0 through 0.8.4 Description: The issue concerns a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. It is caused by inefficient list concatenation operations, resulting in...

PT-2025-17395 · Mjson · Mjson

Name of the Vulnerable Software and Affected Versions: mjson version 1.2.7 Description: The issue arises in the mystrtod function of mjson, which requires an excessive number of iterations when processing specific digit strings, such as 8891110122900e913013935755114. This can lead to potential...

CVE-2025-32034

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, a vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively...

CVE-2025-32381 Denial of Service by abusing xgrammar unbounded cache in memory

XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to 0.1.18, Xgrammar includes a cache for compiled grammars to increase performance with repeated use of the same grammar. This cache is held in memory. Since the cache is unbounded, a system maki...

CVE-2025-32032

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan,...

CVE-2024-47215

An issue was discovered in Snowbridge setups sending data to Google Tag Manager Server Side. It involves attaching an invalid GTM SS preview header to events, causing them to be retried indefinitely. As a result, the performance of forwarding events to GTM SS overall can be affected latency,...

CVE-2024-47215

CVE-2024-47215 affects Snowbridge setups that forward data to Google Tag Manager Server Side. The issue is an invalid GTM SS preview header attached to events, causing event retries indefinitely and potentially degrading forwarding performance (latency, throughput). Public details across connecte...

CVE-2023-52990

The CVE-2023-52990 entry is rejected/not used; it does not represent an active vulnerability entry.

CVE-2023-52990

Removed by vendor...

CVE-2024-7779

A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service ReDoS by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable...

samba bug fix update

An update is available for samba. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Samba is an open-source implementation of the Server Message Block SMB protocol...

CVE-2025-27513 OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package

OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context propagation, receiving these...

Linux Distros Unpatched Vulnerability : CVE-2024-46839

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: workqueue: Improve scalability of workqueue watchdog touch On a 2000 CPU powerpc system, har...

Linux Distros Unpatched Vulnerability : CVE-2024-44989

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: bonding: fix xfrm realdev null pointer dereference We shouldn't set realdev to NULL because...

Linux Distros Unpatched Vulnerability : CVE-2022-48752

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix powerpmudisable to call clearpmiirqpending only if PMI is pending Running...

CVE-2022-49394

The CVE-2022-49394 entry describes a Linux kernel vulnerability in blk-iolatency where inflight IO counters could become imbalanced and IOs hang when a cgroup with iolatency is offline or disabled. The root cause is that enabled counters could be manipulated in iolatency_set_limit() and iolatency...

CVE-2022-49172 parisc: Fix non-access data TLB cache flush faults

In the Linux kernel, the following vulnerability has been resolved: parisc: Fix non-access data TLB cache flush faults When a page is not present, we get non-access data TLB faults from the fdc and fic instructions in flushuserdcacherangeasm and flushusericacherangeasm. When these occur, the cach...