Asymmetric Resource Consumption (Amplification)

CWE-405

Overtime trend (NVD)

CVSS severity (NVD, All Time)

Per technology (GHSA, All time)

88%-Composer
11%-Go

Short description

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

Extended description

This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.

Best practices to prevent this CWE

Phase: Architecture and Design

An application must make resources available to a client commensurate with the client's access level.

Phase: Architecture and Design

An application must, at all times, keep track of allocated resources and meter their usage appropriately.

Phase: System Configuration

Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

Effectiveness: High

Recently published CVEs

CVE-2024-0450
CVE-2021-38447
CVE-2021-21359
CVE-2018-15492

Recently published GHSA

GHSA-8c28-5mp7-v24h
GHSA-jj6m-r8jc-2gp7
GHSA-4p9g-qgx9-397p

Prioritize and Uncover Reachable Vulnerabilities in Your Application Code

Identify externally reachable data flows and vulnerabilities for effective risk mitigation

Get a Demo