Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: the application is using Spring MVC or Spring WebFlux the application is serving static resources from...

CVE-2026-22745

The vulnerability is in the Spring Framework’s static resource resolution when serving file-system backed resources in Spring MVC/WebFlux apps on Windows. Affected component: org.springframework:spring-core. Under the conditions that the app uses Spring MVC or Spring WebFlux, serves static resour...

CVE-2026-35665

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

CVE-2026-35665

OpenClaw CVE-2026-35665 details a Denial of Service via pre-auth body parsing in the Feishu webhook handler. The Feishu extension still uses permissive pre-auth limits (1 MB body, 30 s timeout) before signature verification, unlike other webhook handlers that were patched to 64 KB / 5 s. Attacker...

CVE-2026-35665

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

CVE-2026-35665 OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.24 contained security vulnerabilities. These vulnerabilities stemmed from the Feishu webhook processor accepting request bodies with lax restrictions before signature...

CVE-2026-32011 OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request...

CVE-2026-32011

CVE-2026-32011 for OpenClaw describes a denial-of-service in webhook handlers used by BlueBubbles and Google Chat. The root cause is that request bodies are parsed before authentication and signature validation, allowing unauthenticated, remote attackers to exhaust parser resources by sending slo...

EUVD-2026-13273

OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the webhook request body parsing. An attacker can degrade service availability by sending slow or oversized unauthenticated reques...

PT-2026-26393

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.2 Description OpenClaw contains a denial of service issue in webhook handlers for BlueBubbles and Google Chat. These handlers parse request bodies before authentication and signature validation. Unauthenticate...

CVE-2026-25224

A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream or Response with a Web Stream body via reply.send. This can lead to unbounded buffering, exhausting server memory. T...

SUSE CVE-2010-0295

lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service memory consumption by breaking a request into small pieces that are sent at a slow rate...

RESTEasy: Caching routes in RootNode may result in DoS

A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service...

openSUSE Security Update : lighttpd (lighttpd-1914)

This update fixes a denial of service vulnerability in lighttpd that can be triggers using slow requests. CVE-2010-0295 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update lighttpd-1914. The text...

DEBIAN-CVE-2010-0295

lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service memory consumption by breaking a request into small pieces that are sent at a slow rate...