CWE-405: Asymmetric Resource Consumption (Amplification)
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Last updated
Overview
This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Real-world CVEs
37 recorded CVEs are caused by CWE-405 (Asymmetric Resource Consumption (Amplification)). The highest-severity and most recent are shown first. 11 new CWE-405 CVEs have been recorded so far in 2026 (16 in 2025).
- CVE-2026-25611
Pre-Authentication Memory Exhaustion Denial of Service in MongoDB Server
High · CVSS 8.7 · EPSS 52th2026-02-10 - CVE-2025-53633
Chall-Manager's scenario decoding process does not check for zip bombs
High · CVSS 8.7 · EPSS 37th2025-07-10 - CVE-2024-56200
Uncontrolled Recursion and Asymmetric Resource Consumption in Altair media/file proxy
High · CVSS 8.6 · EPSS 44th2024-12-19 - CVE-2021-38447High · CVSS 8.6 · EPSS 80th2022-05-05
- CVE-2025-22166High · CVSS 8.3 · EPSS 37th2025-10-21
- CVE-2025-42874
Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius)
High · CVSS 7.9 · EPSS 33th2025-12-09 - CVE-2026-47774
Envoy vulnerable to HTTP/2 memory exhaustion via cookie header size bypass and HPACK amplification
High · CVSS 7.5 · EPSS 53th2026-06-17 - CVE-2026-0485
Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform
High · CVSS 7.5 · EPSS 33th2026-02-10 - CVE-2026-22775
devalue vulnerable to denial of service due to memory/CPU exhaustion in devalue.parse
High · CVSS 7.5 · EPSS 43th2026-01-15 - CVE-2026-22774
devalue vulnerable to denial of service due to memory exhaustion in devalue.parse
High · CVSS 7.5 · EPSS 43th2026-01-15 - CVE-2025-66564
Sigstore Timestamp Authority allocates excessive memory during request parsing
High · CVSS 7.5 · EPSS 33th2025-12-04 - CVE-2025-66506
Fulcio allocates excessive memory during token parsing
High · CVSS 7.5 · EPSS 9th2025-12-04
Showing 12 of 37 recorded CWE-405 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-405 vulnerabilitiesCommon consequences
What can happen when CWE-405 is exploited.
DoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Affects: Availability
Sometimes this is a factor in "flood" attacks, but other types of amplification exist.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-405, grouped by where in the lifecycle they apply.
An application must make resources available to a client commensurate with the client's access level.
An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Effectiveness: High — Business requirements may prevent disabling resource-intensive algorithms.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This code listens on a port for DNS requests and sends the result to the requesting address.
Vulnerable example
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
This function prints the contents of a specified file requested by a user.
Vulnerable example
function printFile($username,$filename){This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Attack input
<?xml version="1.0"?>This example attempts to check if an input string is a "sentence" [REF-1164].
An adversary can cause significant resource consumption on a server by filtering the cryptographic algorithms offered by the client to the ones that are the most resource-intensive on the server side. After discovering which cryptographic algorithms are supported by the server, a malicious client can send the initial cryptographic handshake messages that contains only the resource-intensive algorithms. For some cryptographic protocols, these messages can be completely prefabricated, as the resource-intensive part of the handshake happens on the server-side first (such as TLS), rather than on the client side. In the case of cryptographic protocols where the resource-intensive part should happen on the client-side first (such as SSH), a malicious client can send a forged/precalculated computation result, which seems correct to the server, so the resource-intensive part of the handshake is going to happen on the server side. A malicious client is required to send only the initial messages of a cryptographic handshake to initiate the resource-consuming part of the cryptographic handshake. These messages are usually small, and generating them requires minimal computational effort, enabling a denial-of-service attack. An additional risk is the fact that higher key size increases the effectiveness of the attack. Cryptographic protocols where the clients have influence over the size of the used key (such as TLS 1.3 or SSH) are most at risk, as the client can enforce the highest key size supported by the server.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-1999-0513 — Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
- CVE-2003-1564 — Parsing library allows XML bomb
- CVE-2004-2458 — Tool creates directories before authenticating user.
- CVE-2020-10735 — Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
- CVE-2020-5243 — server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
- CVE-2013-5211 — composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
- CVE-2002-20001 — Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
- CVE-2022-40735 — The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.
Terminology & mappings
Mapped taxonomies
- PLOVER: Asymmetric resource consumption (amplification)
- OWASP Top Ten 2004: Denial of Service (A9) — CWE More Specific fit
- WASC: XML Attribute Blowup (41)
- The CERT Oracle Secure Coding Standard for Java (2011): Use thread pools to enable graceful degradation of service during traffic bursts (TPS00-J)
- The CERT Oracle Secure Coding Standard for Java (2011): Release resources when they are no longer needed (FIO04-J)
Frequently asked questions
Common questions about CWE-405.
- What is CWE-405?
- The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
- What CVEs are caused by CWE-405?
- 37 recorded CVEs are attributed to CWE-405, including CVE-2026-25611, CVE-2025-53633, CVE-2024-56200.
- Is CWE-405 part of the OWASP Top 10?
- CWE-405 maps to OWASP Top Ten 2004: Denial of Service (A9) in the OWASP security taxonomy.
- How do you prevent CWE-405?
- An application must make resources available to a client commensurate with the client's access level.
- What are the consequences of CWE-405?
- Exploiting CWE-405 can lead to: DoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other).
- Is CWE-405 actively exploited?
- 37 recorded CVEs are caused by CWE-405; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-405) (opens in a new tab)
- CWE-405 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-405
Get alerted the moment a new CWE-405 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.