BaseIncomplete

CWE-770Allocation of Resources Without Limits or Throttling

Category: logic

Description

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Common consequences· 1

  • Availability — DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other)
    When allocating resources without limits, an attacker could prevent other systems, applications, or processes from accessing the same type of resource. It can be easy for an attacker to consume many resources by rapidly making many requests or causing larger resources to be used than is needed.

Potential mitigations· 5

  • [Requirements]Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design]Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.
  • [Architecture and Design]Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place, and it will help the administrator to identify who is committing the abuse. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
  • [Implementation]
  • [Architecture and Design]For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Related CAPEC attack patterns· 20

CAPEC-125CAPEC-130CAPEC-147CAPEC-197CAPEC-229CAPEC-230CAPEC-231CAPEC-469CAPEC-482CAPEC-486CAPEC-487CAPEC-488CAPEC-489CAPEC-490CAPEC-491CAPEC-493CAPEC-494CAPEC-495CAPEC-496CAPEC-528

References

  1. https://cwe.mitre.org/data/definitions/770.html

Exploits (incoming)20

TypeTargetConfidenceTier
AttackPatternSerialized Data with Nested Payloadscapec-230100%live
AttackPatternICMP Fragmentationcapec-496100%live
AttackPatternXML Floodcapec-528100%live
AttackPatternTCP Floodcapec-482100%live
AttackPatternOversized Serialized Data Payloadscapec-231100%live
AttackPatternXML Ping of the Deathcapec-147100%live
AttackPatternHTTP DoScapec-469100%live
AttackPatternTCP Fragmentationcapec-494100%live
AttackPatternUDP Fragmentationcapec-495100%live
AttackPatternSerialized Data Parameter Blowupcapec-229100%live
AttackPatternUDP Floodcapec-486100%live
AttackPatternHTTP Floodcapec-488100%live
AttackPatternFloodingcapec-125100%live
AttackPatternICMP Floodcapec-487100%live
AttackPatternExponential Data Expansioncapec-197100%live
AttackPatternAmplificationcapec-490100%live
AttackPatternSSL Floodcapec-489100%live
AttackPatternExcessive Allocationcapec-130100%live
AttackPatternSOAP Array Blowupcapec-493100%live
AttackPatternQuadratic Data Expansioncapec-491100%live

Compliance frameworks addressing this (incoming)2

TypeTargetConfidenceTier
ComplianceControlowasp_llm_top10-llm10100%live
ComplianceControlowasp_api_top10-api04100%live

(incoming)12

TypeTargetConfidenceTier
VulnerabilityCVE-2025-11832cve-2025-118320%live
VulnerabilityCVE-2025-14341cve-2025-143410%live
VulnerabilityCVE-2025-53628cve-2025-536280%live
VulnerabilityCVE-2025-68456cve-2025-684560%live
VulnerabilityCVE-2025-7070cve-2025-70700%live
VulnerabilityCVE-2026-20103cve-2026-201030%live
VulnerabilityCVE-2026-25804cve-2026-258040%live
VulnerabilityCVE-2026-31283cve-2026-312830%live
VulnerabilityCVE-2026-35457cve-2026-354570%live
VulnerabilityCVE-2026-40104cve-2026-401040%live
VulnerabilityCVE-2026-40498cve-2026-404980%live
VulnerabilityCVE-2026-41309cve-2026-413090%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Uncontrolled Resource Consumption
CWE
Exposure of Resource to Wrong Sphere
CWE
Operation on a Resource after Expiration or Release
CWE
Improper Resource Shutdown or Release
CWE
Incorrect Ownership Assignment
CWE
Missing Release of Resource after Effective Lifetime
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.