LIVE NEWSROOM · --:-- · May 24, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-770

CWE-770

Allocation of Resources Without Limits or Throttling

Base EXPLOIT LIKELIHOOD: HIGH

What it is

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Impact

AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)

Mitigations

  • [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
  • [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected
  • [Implementation]Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.When performing input validation, consider all potentially relevant properties, including length, type of input, the full r
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
  • [Architecture and Design]Mitigation of resource exhaustion attacks requires that the target system either:- recognizes the attack and denies that user further access for a given amount of time, typically by using increasing time delays- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.The first of these solutions is an issue in
  • [Architecture and Design] Ensure that protocols have specific limits of scale placed on them.
  • [Architecture and Design, Implementation]If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could sen

Real-world CVE examples

  • CVE-2019-19911 — Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory cons
  • CVE-2009-4017 — Language interpreter does not restrict the number of temporary files being created when handling a MIME request with a large number of parts..
  • CVE-2009-2726 — Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
  • CVE-2009-2540 — Large integer value for a length property in an object causes a large amount of memory allocation.
  • CVE-2009-2054 — Product allows exhaustion of file descriptors when processing a large number of TCP packets.
  • CVE-2008-5180 — Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created.
  • CVE-2008-1700 — Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window.
  • CVE-2005-4650 — CMS does not restrict the number of searches that can occur simultaneously, leading to resource exhaustion.
  • CVE-2020-15100 — web application scanner attempts to read an excessively large file created by a user, causing process termination
  • CVE-2020-7218 — Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top