CWE-799: Improper Control of Interaction Frequency
Also known as: Insufficient anti-automation, Brute force
The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Last updated
Overview
This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.
Real-world CVEs
52 recorded CVEs are caused by CWE-799 (Improper Control of Interaction Frequency). The highest-severity and most recent are shown first. 12 new CWE-799 CVEs have been recorded so far in 2026 (13 in 2025).
- CVE-2025-54321Critical · CVSS 9.8 · EPSS 37th2025-11-18
- CVE-2023-40332
WordPress WP-PostRatings plugin <= 1.91 - Rating limit Bypass vulnerability
Critical · CVSS 9.8 · EPSS 29th2024-06-04 - CVE-2024-48942Critical · CVSS 9.1 · EPSS 37th2024-10-09
- CVE-2024-45788High · CVSS 8.7 · EPSS 39th2024-09-11
- CVE-2024-32943High · CVSS 8.7 · EPSS 38th2024-06-20
- CVE-2024-35246High · CVSS 8.7 · EPSS 38th2024-06-20
- CVE-2025-29998
No Rate Limiting Vulnerability in CAP back office application
High · CVSS 8.2 · EPSS 28th2025-03-13 - CVE-2026-7402
Improper Rate Limiting in MeWare Software's PDKS
High · CVSS 8.1 · EPSS 30th2026-04-30 - CVE-2021-41177
Rate-limits not working on instances without configured memory cache backend
High · CVSS 8.1 · EPSS 71th2021-10-25 - CVE-2024-9199High · CVSS 7.5 · EPSS 24th2024-09-26
- CVE-2023-35621High · CVSS 7.5 · EPSS 82th2023-12-12
- CVE-2021-32705High · CVSS 7.5 · EPSS 75th2021-07-12
Showing 12 of 52 recorded CWE-799 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-799 vulnerabilitiesCommon consequences
What can happen when CWE-799 is exploited.
DoS: Resource Consumption (Other), Bypass Protection Mechanism, Other
Affects: Availability, Access Control, Other
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following code a username and password is read from a socket and an attempt is made to authenticate the username and password. The code will continuously checked the socket for a username and password until it has been authenticated.
Vulnerable example
char username[USERNAME_SIZE];Safe example
int count = 0;This code does not place any restriction on the number of authentication attempts made. There should be a limit on the number of authentication attempts made to prevent brute force attacks as in the following example code.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2024-50653 — Chain: e-commerce product has a "front-end restriction" for coupon use (CWE-602), but the server does not restrict the number of requests for the same coupon (CWE-799)
- CVE-2002-1876 — Mail server allows attackers to prevent other users from accessing mail by sending large number of rapid requests.
Terminology & mappings
Alternate terms
- Insufficient anti-automation
- The term "insufficient anti-automation" focuses primarly on non-human actors such as viruses or bots, but the scope of this CWE entry is broader.
- Brute force
- Vulnerabilities that can be targeted using brute force attacks are often symptomatic of this weakness.
Mapped taxonomies
- WASC: Insufficient Anti-Automation (21)
Frequently asked questions
Common questions about CWE-799.
- What is CWE-799?
- The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
- What CVEs are caused by CWE-799?
- 52 recorded CVEs are attributed to CWE-799, including CVE-2025-54321, CVE-2023-40332, CVE-2024-48942.
- What are the consequences of CWE-799?
- Exploiting CWE-799 can lead to: DoS: Resource Consumption (Other), Bypass Protection Mechanism, Other.
- Is CWE-799 actively exploited?
- 52 recorded CVEs are caused by CWE-799; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-799) (opens in a new tab)
- CWE-799 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-799
Get alerted the moment a new CWE-799 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.