CWE-770 2021 CVEs MITRE definition ↗

CWE-770: Allocation of Resources Without Limits or Throttling

Overview

CWE-770 (Allocation of Resources Without Limits or Throttling) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact
Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Applicable platforms

Kind Name Class Prevalence OS / CPE
language Not Language-Specific Often
technology Not Technology-Specific Undetermined

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE Published Summary
CVE-2025-71396 2026-07-18 SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitl…
CVE-2026-54490 2026-07-17 websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.7.5, if this library is used with the permessage-deflate extension, a WebSocket server or client can be made to accept m…
CVE-2026-50274 2026-07-17 Datadog dd-trace-go is a Go client library for Datadog application performance monitoring, profiling, and security monitoring. Prior to 2.8.1, Datadog tracing libraries that implement W3C baggage prop…
CVE-2026-50272 2026-07-17 dd-trace is the Datadog APM client for Node.js. Prior to 5.100.0, W3C baggage propagation in packages/dd-trace/src/baggage.js and packages/dd-trace/src/opentracing/propagation/text_map.js parsed incom…
CVE-2026-50271 2026-07-17 Datadog dd-trace-py is the Datadog Python APM client. Prior to 4.8.2, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing DD_TRACE_BA…
CVE-2026-44891 2026-07-17 Netty is a network application framework for development of protocol servers and clients. Prior to 4.1.136.Final and 4.2.16.Final, io.netty.handler.codec.stomp.StompSubframeDecoder fails to limit the …
CVE-2026-55254 2026-07-17 NCalc is a fast, lightweight expression evaluator for .NET. Prior to 6.1.1, the factorial operator implementation in src/NCalc.Core/Helpers/MathHelper.cs permits specially crafted expressions with ext…
CVE-2026-54465 2026-07-17 websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, when websocket-driver is used to implement a WebSocket server on top of a TCP server using WebSocket::Driver.server…
CVE-2026-54464 2026-07-17 ### Impact If this library is used in tandem with the `permessage-deflate` extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message s…
CVE-2026-54463 2026-07-17 websocket-driver is a WebSocket protocol handler with pluggable I/O. Prior to 0.8.1, draft versions of the WebSocket protocol in websocket-driver include a length header that allows an arbitrarily lar…
CVE-2026-48504 2026-07-17 OpenTelemetry Rust is the Rust OpenTelemetry implementation. In 0.32.0 and earlier, BaggagePropagator::extract_with_context in opentelemetry_sdk did not enforce W3C Baggage size limits before parsing …
CVE-2026-49835 2026-07-17 Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Meth…
CVE-2026-48045 2026-07-17 Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.12, AsyncListener.handle_query_or_defer retained every truncated TC-bit incoming query, each up to _MAX_MSG_…
CVE-2026-47184 2026-07-17 Zeroconf is a pure Python implementation of multicast DNS service discovery. Prior to 0.149.7, DNSCache._async_add inserted every response record into cache, _expirations, _expire_heap, and service_ca…
CVE-2026-50273 2026-07-17 Datadog .NET Tracer is a client library for Datadog APM for .NET applications. Prior to 3.43.0, Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers wit…
CVE-2026-49209 2026-07-17 Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::__invoke() iterates over the client-supplied actions arr…
CVE-2026-15007 2026-07-17 A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file c…
CVE-2026-62210 2026-07-16 OpenClaw versions before 2026.6.1 contain a denial of service vulnerability where remote media URLs can trigger slow-read attacks that exhaust gateway worker resources. Attackers with access to config…
CVE-2026-54340 2026-07-16 h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris…
CVE-2026-44453 2026-07-16 h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving …

Content submission

Name
CWE Content Team
Organization
MITRE
Date
2009-05-13
Version
1.4

Content modifications

Date Name Version Importance Comment
2009-07-27 CWE Content Team 1.5 updated Related_Attack_Patterns
2009-10-29 CWE Content Team 1.6 updated Relationships
2009-12-28 CWE Content Team 1.7 updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Observed_Examples, References, Time_of_Introduction
2010-02-16 CWE Content Team 1.8 updated Common_Consequences, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
2010-04-05 CWE Content Team 1.8.1 updated Common_Consequences, Demonstrative_Examples, Related_Attack_Patterns
2010-06-21 CWE Content Team 1.9 updated Common_Consequences, Potential_Mitigations, References
2010-09-27 CWE Content Team 1.10 updated Demonstrative_Examples, Potential_Mitigations
2011-03-29 CWE Content Team 1.12 updated Demonstrative_Examples, Detection_Factors, Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27 CWE Content Team 2.0 updated Relationships
2011-09-13 CWE Content Team 2.1 updated Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-02-18 CWE Content Team 2.6 updated Related_Attack_Patterns
2014-06-23 CWE Content Team 2.7 updated Related_Attack_Patterns
2014-07-30 CWE Content Team 2.8 updated Relationships
2015-12-07 CWE Content Team 2.9 updated Related_Attack_Patterns
2017-05-03 CWE Content Team 2.11 updated Related_Attack_Patterns
2017-11-08 CWE Content Team 3.0 updated Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
2018-03-27 CWE Content Team 3.1 updated References
2019-01-03 CWE Content Team 3.2 updated Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
2019-06-20 CWE Content Team 3.3 updated Related_Attack_Patterns, Relationships
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Related_Attack_Patterns, Relationships
2020-06-25 CWE Content Team 4.1 updated Applicable_Platforms, Description, Maintenance_Notes, Potential_Mitigations, Relationship_Notes, Relationships
2020-12-10 CWE Content Team 4.3 updated Relationships
2021-07-20 CWE Content Team 4.5 updated Observed_Examples
2022-10-13 CWE Content Team 4.9 updated Observed_Examples, References
2023-01-31 CWE Content Team 4.10 updated Description, Detection_Factors
2023-04-27 CWE Content Team 4.11 updated References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2024-02-29 CWE Content Team 4.14 updated Taxonomy_Mappings
2025-09-09 CWE Content Team 4.18 updated Common_Consequences, Description, Diagram, Observed_Examples, Potential_Mitigations, References
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities

Contributions

Type Name Date Comment
Content participants in the CWE ICS/OT SIG 62443 Mapping Fall Workshop 2023-11-14 Contributed or reviewed taxonomy mappings for ISA/IEC 62443
cvelogic Threat Intelligence