CWE-405 Class Incomplete

Asymmetric Resource Consumption (Amplification)

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The…

Definition

What is CWE-405?

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.

This flaw often leads to performance degradation or denial-of-service through resource 'amplification,' where resource use scales non-linearly. A small, malicious request can force the system to perform complex computations, generate massive data outputs, or spawn excessive processes, overwhelming its capacity. This risk is significantly higher if access controls are weak, allowing low-privilege users or external attackers to consume resources far beyond their intended limits. To prevent this, developers must design systems where the cost of triggering an operation is proportional to the resources consumed, and enforce strict quotas and authorization checks at all access levels.

Auswirkungen in der Praxis

Real-world CVEs caused by CWE-405

CVE-1999-0513

Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
CVE-2003-1564

Parsing library allows XML bomb
CVE-2004-2458

Tool creates directories before authenticating user.
CVE-2020-10735

Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243

server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2013-5211

composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
CVE-2002-20001

Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
CVE-2022-40735

The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

1
This code listens on a port for DNS requests and sends the result to the requesting address.
2
This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
3
This function prints the contents of a specified file requested by a user.
4
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
5
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Verwundbares Codebeispiel

Vulnerable Python

This code listens on a port for DNS requests and sends the result to the requesting address.

Verwundbar Python

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.bind( (UDP_IP,UDP_PORT) )
  while true:
  		data = sock.recvfrom(1024)
  		if not data:
  			break
  		(requestIP, nameToResolve) = parseUDPpacket(data)
  		record = resolveName(nameToResolve)
  		sendResponse(requestIP,record)

Angreifer-Payload

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Angreifer-Payload XML

<?xml version="1.0"?>
  <!DOCTYPE MaliciousDTD [
  <!ENTITY ZERO "A">
  <!ENTITY ONE "&ZERO;&ZERO;">
  <!ENTITY TWO "&ONE;&ONE;">
  ...
  <!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
  ]>
  <data>&THIRTYTWO;</data>

Sicheres Codebeispiel

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Sicher JavaScript

var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Präventions-Checkliste

How to prevent CWE-405

Architecture and Design An application must make resources available to a client commensurate with the client's access level.
Architecture and Design An application must, at all times, keep track of allocated resources and meter their usage appropriately.
System Configuration Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

Erkennungssignale

How to detect CWE-405

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-405 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen

Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-405?

Wie gravierend ist CWE-405?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-405 betroffen?

MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific, Client Server.

Wie kann ich CWE-405 verhindern?

An application must make resources available to a client commensurate with the client's access level. An application must, at all times, keep track of allocated resources and meter their usage appropriately.

Wie erkennt und behebt Plexicus CWE-405?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-405 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-405?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/405.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-405

CWE-400 Parent

Uncontrolled Resource Consumption

This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a…

CWE-1235 Sibling

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

This weakness occurs when a program relies on automatic boxing and unboxing of primitive types within performance-sensitive code sections,…

CWE-1246 Sibling

Improper Write Handling in Limited-write Non-Volatile Memories

This vulnerability occurs when a system fails to properly manage write operations on memory hardware that has a limited lifespan, such as…

CWE-770 Sibling

Allocation of Resources Without Limits or Throttling

This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…

CWE-771 Sibling

Missing Reference to Active Allocated Resource

This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system…

CWE-779 Sibling

Logging of Excessive Data

This vulnerability occurs when an application records more information than necessary in its logs, making log files difficult to analyze…

CWE-920 Sibling

Improper Restriction of Power Consumption

This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to…

CWE-1050 Child

Excessive Platform Resource Consumption within a Loop

This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database…

CWE-1072 Child

Data Resource Access without Use of Connection Pooling

This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool.…

Ressourcen

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen