CAPEC-197 · Exponential Data Expansion

Scaner-VSvulnerability catalog · v4.2

Home Catalog Sources CWE CAPEC ATT&CK Mitigations Products Vendors Docs

← Back to List

CAPEC-197DetailedDraft

Abstraction: Detailed

Status: Draft

Exponential Data Expansion

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

Open in catalog with CAPEC filter →

Related CWEs

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Related vulnerabilities

CVE-2025-11832Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access Technology BLU-IC4 allows Flooding.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.

CVE-2026-31283In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a hard control enforced via flag PWRESET_STATUS_ALREADYSENT, and no further password-reset email messages are sent if this flag is active for a specific email address.

CVE-2024-44241The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.

CVE-2023-38507Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

CVE-2023-25156Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.

CVE-2022-3456Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.

CVE-2022-3439Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.

CVE-2022-3273Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.

CVE-2019-19144XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate.

CVE-2019-17067PuTTY before 0.73 on Windows improperly opens port-forwarding listening sockets, which allows attackers to listen on the same port to steal an incoming connection.

CVE-2018-20033A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow a remote attacker to corrupt the memory by allocating / deallocating memory, loading lmgrd or the vendor daemon and causing the heartbeat between lmgrd and the vendor daemon to stop. This would force the vendor daemon to shut down. No exploit of this vulnerability has been demonstrated.

CVE-2014-2228The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.

CVE-2013-4335opOpenSocialPlugin 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6: Multiple XML External Entity Injection Vulnerabilities

CVE-2021-41592Blockstream c-lightning through 0.10.1 allows loss of funds because of dust HTLC exposure.

CVE-2021-41591ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure.