LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-405

CWE-405

Asymmetric Resource Consumption (Amplification)

Class

What it is

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.

Impact

AvailabilityDoS: Amplification, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Mitigations

  • [Architecture and Design] An application must make resources available to a client commensurate with the client's access level.
  • [Architecture and Design] An application must, at all times, keep track of allocated resources and meter their usage appropriately.
  • [System Configuration] Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

Real-world CVE examples

  • CVE-1999-0513 — Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
  • CVE-2003-1564 — Parsing library allows XML bomb
  • CVE-2004-2458 — Tool creates directories before authenticating user.
  • CVE-2020-10735 — Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
  • CVE-2020-5243 — server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
  • CVE-2013-5211 — composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
  • CVE-2002-20001 — Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, u
  • CVE-2022-40735 — The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with parti

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top