Detailedlikelihood: Highseverity: MediumDraft

CAPEC-197Exponential Data Expansion

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
Medium

Description

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

Related weaknesses· 2

CWE-770CWE-776

Related attack patterns· 1

CAPEC-230 (ChildOf)

Exploits2

TypeTargetConfidenceTier
WeaknessImproper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')cwe-776100%live
WeaknessAllocation of Resources Without Limits or Throttlingcwe-770100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Quadratic Data Expansion
CAPEC
Serialized Data with Nested Payloads
CAPEC
Buffer Overflow via Parameter Expansion
CAPEC
Regular Expression Exponential Blowup
CAPEC
Serialized Data Parameter Blowup
CAPEC
Oversized Serialized Data Payloads
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.