The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
View on MITREThis can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
An application must make resources available to a client commensurate with the client's access level.
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
No detection method information available for this CWE.
This code listens on a port for DNS requests and sends the result to the requesting address.
This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
This function prints the contents of a specified file requested by a user.
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
This example attempts to check if an input string is a "sentence" [REF-1164].
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
This example attempts to check if an input string is a "sentence" [REF-1164].
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
View Detailsserver allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
View Detailscomposite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
View DetailsDiffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
View DetailsThe Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.
View DetailsCWE-405: Asymmetric Resource Consumption (Amplification) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
If exploited, CWE-405 (Asymmetric Resource Consumption (Amplification)) it can compromise Availability, leading to outcomes such as DoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) and DoS: Resource Consumption (Other).
Recommended mitigations for CWE-405 include: An application must make resources available to a client commensurate with the client's access level. An application must, at all times, keep track of allocated resources and meter their usage appropriately. Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
CWE-405 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-405, including CVE-1999-0513, CVE-2003-1564, CVE-2004-2458, CVE-2020-10735 and CVE-2020-5243. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-405 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.