CVE-2026-47077

Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackneyh3:awaitresponseloop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk,...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in various respons.text invocations in response-handler.ts, which accept and buffer arbitrarily long request strings. Functions like createJsonResponseHandler and...

CVE-2026-8466

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboyreq:readpart/3 in src/cowboyreq.erl accumulates incoming request bytes into a Buffer binary with no upper-bound chec...

UBUNTU-CVE-2026-8466

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboyreq:readpart/3 in src/cowboyreq.erl accumulates incoming request bytes into a Buffer binary with no upper-bound chec...

basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering

Summary basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending...

GHSA-677M-J7P3-52F9 socket.io allows an unbounded number of binary attachments

Impact A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. Patches | Version range | Used by | Fixed version |...

CVE-2026-27979

Next.js CVE-2026-27979 affects Next.js 16.0.1 through 16.1.6 in non-minimal deployments with Partial Prerendering enabled. A request containing the next-resume: 1 header can cause unbounded postponed-body buffering, consuming memory and enabling DoS. The issue is fixed in 16.1.7 by enforcing size...

CVE-2026-27979

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in...

CVE-2026-28478

OpenClaw exposes a Denial of Service vulnerability in webhook handlers prior to version 2026.2.13, caused by buffering request bodies without strict byte or time limits. Remote, unauthenticated attackers can send oversized JSON payloads or slow uploads, triggering memory pressure and availability...

CVE-2026-28478 OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and...

CVE-2026-25224

A flaw was found in Fastify. A remote client can exploit this denial-of-service vulnerability by sending a slow or non-reading request when the application returns a ReadableStream or Response with a Web Stream body via reply.send. This can lead to unbounded buffering, exhausting server memory. T...

CVE-2026-25224

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream or Response with a Web Stream body via...

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

CVE-2026-22258

CVE-2026-22258 affects Suricata (IDS/IPS/NSM). Before versions 8.0.3 and 7.0.14, crafted DCERPC traffic can trigger unbounded buffering, causing memory exhaustion and process termination. While initially observed over UDP, TCP and SMB are also considered vulnerable; however, DCERPC/TCP defaults l...

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

python-kdcproxy: Remote DoS via unbounded TCP upstream buffering

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server e.g. through server-side request forgery, they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copie...

Fedora 41 : python-kdcproxy (2025-3075610004)

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-3075610004 advisory. - New upstream version 1.1.0 - Use DNS discovery for declared realms only CVE-2025-59088 - Fix DoS vulnerability based on unbounded TCP buffering...

RockyLinux 10 : python-kdcproxy (RLSA-2025:21142)

The remote RockyLinux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RLSA-2025:21142 advisory. python-kdcproxy: Unauthenticated SSRF via Realm?Controlled DNS SRV CVE-2025-59088 python-kdcproxy: Remote DoS via unbounded TCP upstream buffering...

RLSA-2025:20962 Important: pcs security update

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fixes: rubygem-rack: Rack QueryParser has an unsafe default allowing paramslimit bypass via semicolon-separated parameters CVE-2025-59830 rack: Rack's unbounded multipart preamble...

python-kdcproxy: Remote DoS via unbounded TCP upstream buffering

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server e.g. through server-side request forgery, they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copie...