Summary
PHP JWT Library: PBES2-HS*+A*KW unwrap accepts an unbounded p2c iteration count, enabling CPU-amplification denial of service
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-JM82-FX9C-MX94
pypdf: Missing stream length values ignore defined limits
- HIGHGHSA-38RV-X7PX-6HHQ
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
- CRITICALGHSA-X223-P2GF-V735
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
- HIGHGHSA-72GW-MP4G-V24J
Multer vulnerable to Denial of Service via deeply nested field names
- MEDIUMNPM-EVERYTHING-2024
In late December 2023 (widely reported early January 2024), npm user PatrickJS (gdi2290) published a troll package named 'everything' that, via roughly 3000 chunked sub-packages, declared a dependency on every public package in the npm registry. Installing it triggered a denial of service through storage exhaustion and broken build pipelines. Because a package depended on by others cannot be unpublished, this registry-wide dependency web temporarily blocked many maintainers from removing their own packages until GitHub/npm intervened.
- MEDIUMGHSA-Q59X-JC9F-GFQF
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints