CWE-407: Inefficient Algorithmic Complexity
Also known as: Quadratic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Last updated
Overview
CWE-407 (Inefficient Algorithmic Complexity) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
90 recorded CVEs are caused by CWE-407 (Inefficient Algorithmic Complexity). The highest-severity and most recent are shown first. 50 new CWE-407 CVEs have been recorded so far in 2026 (18 in 2025).
- CVE-2026-57480
Parse Server: Denial of service via exponential-time processing of deeply nested query operators
High · CVSS 8.7 · EPSS 26th2026-07-08 - CVE-2026-55206
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
High · CVSS 8.7 · EPSS 24th2026-07-08 - CVE-2026-59880
Immutable.js: Hash-collision algorithmic complexity denial of service in Immutable.Map/Set
High · CVSS 8.7 · EPSS 29th2026-07-08 - CVE-2026-58226
Unauthenticated denial-of-service via unbounded HPACK integer decoding in hpax
High · CVSS 8.7 · EPSS 35th2026-07-06 - CVE-2026-59094
Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store
High · CVSS 8.7 · EPSS 38th2026-07-02 - CVE-2026-13311
shell-quote parse() is quadratic in token count, enabling denial of service
High · CVSS 8.7 · EPSS 28th2026-06-25 - CVE-2026-54892
Plug: quadratic-time decoding of nested query/body parameters enables denial of service
High · CVSS 8.7 · EPSS 49th2026-06-23 - CVE-2026-43967
Quadratic fragment-name uniqueness check causes denial of service in absinthe
High · CVSS 8.7 · EPSS 46th2026-05-08 - CVE-2026-34573
Parse Server: GraphQL complexity validator exponential fragment traversal DoS
High · CVSS 8.2 · EPSS 37th2026-03-31 - CVE-2026-56669
Elysia: Inefficient Algorithmic Complexity and Interpretation Conflict
High · CVSS 7.5 · EPSS 28th2026-07-08 - CVE-2026-59928
Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions
High · CVSS 7.5 · EPSS 29th2026-07-08 - CVE-2026-59925
inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs
High · CVSS 7.5 · EPSS 28th2026-07-08
Showing 12 of 90 recorded CWE-407 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-407 vulnerabilitiesCommon consequences
What can happen when CWE-407 is exploited.
DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
Affects: Availability
The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example attempts to check if an input string is a "sentence" [REF-1164].
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-32617 — C++ library for image metadata has "quadratic complexity" issue with unnecessarily repetitive parsing each time an invalid character is encountered
- CVE-2020-10735 — Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
- CVE-2020-5243 — server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
- CVE-2014-1474 — Perl-based email address parser has "quadratic complexity" issue via a string that does not contain a valid address
- CVE-2003-0244 — CPU consumption via inputs that cause many hash table collisions.
- CVE-2003-0364 — CPU consumption via inputs that cause many hash table collisions.
- CVE-2002-1203 — Product performs unnecessary processing before dropping an invalid packet.
- CVE-2001-1501 — CPU and memory consumption using many wildcards.
- CVE-2004-2527 — Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization.
- CVE-2006-6931 — Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack."
- CVE-2006-3380 — Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
- CVE-2006-3379 — Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
- CVE-2005-2506 — OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.
- CVE-2005-1792 — Memory leak by performing actions faster than the software can clear them.
Terminology & mappings
Alternate terms
- Quadratic Complexity
- Used when the algorithmic complexity is related to the square of the number of inputs (N^2)
Mapped taxonomies
- PLOVER: Algorithmic Complexity
Frequently asked questions
Common questions about CWE-407.
- What is CWE-407?
- An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
- What CVEs are caused by CWE-407?
- 90 recorded CVEs are attributed to CWE-407, including CVE-2026-57480, CVE-2026-55206, CVE-2026-59880.
- What are the consequences of CWE-407?
- Exploiting CWE-407 can lead to: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other).
- Is CWE-407 actively exploited?
- 90 recorded CVEs are caused by CWE-407; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-407) (opens in a new tab)
- CWE-407 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-407
Get alerted the moment a new CWE-407 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.