Skip to content

Instantly share code, notes, and snippets.

@voxpelli

voxpelli/dependabot-resource-exhaustion-cwe-filter.md

Last active March 31, 2026 19:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save voxpelli/d68fcc2c6300b662daa93fbf0af3a526 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save voxpelli/d68fcc2c6300b662daa93fbf0af3a526 to your computer and use it in GitHub Desktop.
Download ZIP
This filter documents the specific CWE family of resource exhaustion, uncontrolled iteration/recursion, and algorithmic-complexity weaknesses that are most likely to show up as dependency-driven denial-of-service risks
Raw
dependabot-resource-exhaustion-cwe-filter.md

Dependabot alert filter: resource-exhaustion and algorithmic-complexity CWEs

Filter

cwe:400 cwe:407 cwe:409 cwe:674 cwe:770 cwe:772 cwe:775 cwe:776 cwe:789 cwe:834 cwe:835 cwe:1333

What this filter is trying to capture

This Dependabot alert filter clusters CWEs that are primarily associated with availability risk, especially:

  • uncontrolled resource consumption
  • CPU or memory exhaustion
  • runaway recursion or looping
  • allocation without limits or throttling
  • algorithmic-complexity attacks such as ReDoS and decompression/data amplification

In short: this filter is a practical way to focus on vulnerabilities that can cause denial of service through excessive work or excessive resource usage.

CWE breakdown

CWE Name Why it belongs in this filter
CWE-400 Uncontrolled Resource Consumption Core resource-exhaustion weakness; directly covers CPU, memory, file descriptors, and other exhausted resources.
CWE-407 Inefficient Algorithmic Complexity Captures cases where attacker-controlled input triggers disproportionately expensive processing.
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Covers decompression/amplification scenarios where small inputs expand into costly resource usage.
CWE-674 Uncontrolled Recursion Recursive processing without effective limits can exhaust stack, CPU, or memory.
CWE-770 Allocation of Resources Without Limits or Throttling Covers systems that allocate work, connections, objects, or memory without meaningful guardrails.
CWE-772 Missing Release of Resource after Effective Lifetime General resource leak pattern that can eventually lead to exhaustion.
CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime Specific leak class for handles/file descriptors; often causes service degradation or failure under load.
CWE-776 Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) Classic XML entity expansion / “billion laughs”-style resource exhaustion.
CWE-789 Memory Allocation with Excessive Size Value Large attacker-influenced allocation requests can produce out-of-memory conditions or severe memory pressure.
CWE-834 Excessive Iteration Excessive looping, even if not technically infinite, can still consume enough CPU or memory to degrade availability.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Infinite or effectively non-terminating loops directly threaten availability.
CWE-1333 Inefficient Regular Expression Complexity Regex backtracking / ReDoS class; attacker input causes pathological CPU usage.

How to interpret the filter operationally

This filter is best viewed as a DoS / availability-risk filter, not a general security filter.

It is especially useful when you want to identify dependencies that may be vulnerable to:

  • ReDoS-style attacks
  • XML expansion attacks
  • decompression bombs or data amplification
  • excessive allocation from attacker-controlled sizes
  • infinite loops or excessive iteration
  • uncontrolled recursion
  • leaks that exhaust finite operating-system resources

Why these CWEs belong together

Although the individual CWEs are different, they are closely related in impact and failure mode:

  1. The attacker supplies or influences input.
  2. The dependency performs too much work or holds too many resources.
  3. CPU, memory, stack space, file descriptors, or similar resources are depleted.
  4. The result is degraded performance, hangs, crashes, or denial of service.

That common shape makes the filter useful for triaging the kinds of dependency vulnerabilities most likely to affect service availability.

Practical triage guidance

When an alert matches this filter, useful questions include:

  • Is the vulnerable code reachable from untrusted input?
  • Can an attacker trigger repeated parsing, decompression, regex evaluation, recursion, or allocation?
  • Are there rate limits, request limits, payload-size limits, or timeouts that reduce exploitability?
  • Is the vulnerable behavior CPU-bound, memory-bound, or based on finite OS resources such as handles?
  • Would exploitation only slow the service, or could it crash it entirely?

Source notes

This document is based on MITRE CWE entries extracted from:

  • https://cwe.mitre.org/data/definitions/400.html
  • https://cwe.mitre.org/data/definitions/407.html
  • https://cwe.mitre.org/data/definitions/409.html
  • https://cwe.mitre.org/data/definitions/674.html
  • https://cwe.mitre.org/data/definitions/770.html
  • https://cwe.mitre.org/data/definitions/772.html
  • https://cwe.mitre.org/data/definitions/775.html
  • https://cwe.mitre.org/data/definitions/776.html
  • https://cwe.mitre.org/data/definitions/789.html
  • https://cwe.mitre.org/data/definitions/834.html
  • https://cwe.mitre.org/data/definitions/835.html
  • https://cwe.mitre.org/data/definitions/1333.html

One-line summary

This filter documents the specific CWE family of resource exhaustion, uncontrolled iteration/recursion, and algorithmic-complexity weaknesses that are most likely to show up as dependency-driven denial-of-service risks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment