CWE-400 Class Draft High likelihood

Uncontrolled Resource Consumption

This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service.

Definition

What is CWE-400?

This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service.

Uncontrolled resource consumption, often called resource exhaustion, happens when an application doesn't enforce limits on how much of a critical resource it uses. Attackers can exploit this by triggering operations that consume excessive memory, CPU, file handles, or network connections, leading to slowdowns or crashes that deny service to legitimate users. Common causes include unbounded loops, lack of upload size limits, or caches that never expire. Preventing these issues requires implementing quotas, timeouts, and rate limiting, and carefully managing object lifecycles. While SAST tools can detect risky patterns, managing this at scale is difficult; an ASPM like Plexicus can help you track and remediate these flaws across your entire stack, using AI to prioritize the most critical resource exhaustion risks in your code and infrastructure.

Vulnerability Diagram CWE-400

Real-world impact

Real-world CVEs caused by CWE-400

CVE-2019-19911

Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190).
CVE-2020-7218

Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service
CVE-2020-3566

Resource exhaustion in distributed OS because of "insufficient" IGMP queue management, as exploited in the wild per CISA KEV.
CVE-2009-2874

Product allows attackers to cause a crash via a large number of connections.
CVE-2009-1928

Malformed request triggers uncontrolled recursion, leading to stack exhaustion.
CVE-2009-2858

Chain: memory leak (CWE-404) leads to resource exhaustion.
CVE-2009-2726

Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption.
CVE-2009-2540

Large integer value for a length property in an object causes a large amount of memory allocation.

How attackers exploit it

Step-by-step attacker path

1
The following example demonstrates the weakness.
2
There are no limits to runnables. Potentially an attacker could cause resource problems very quickly.
3
This code allocates a socket and forks each time it receives a new connection.
4
The program does not track how many connections have been made, and it does not limit the number of connections. Because forking is a relatively expensive operation, an attacker would be able to cause the system to run out of CPU, processes, or memory by making a large number of connections. Alternatively, an attacker could consume all available connections, preventing others from accessing the system remotely.
5
In the following example a server socket connection is used to accept a request to store data on the local file system using a specified filename. The method openSocketConnection establishes a server socket to accept requests from a client. When a client establishes a connection to this service the getNextMessage method is first used to retrieve from the socket the name of the file to store the data, the openFileToWrite method will validate the filename and open a file to write to on the local file system. The getNextMessage is then used within a while loop to continuously read data from the socket and output the data to the file until there is no longer any data from the socket.

Vulnerable code example

Vulnerable Java

The following example demonstrates the weakness.

Vulnerable Java

class Worker implements Executor {
  		...
  		public void execute(Runnable r) {
  				try {
  					...
  				}
  				catch (InterruptedException ie) {
```
// postpone response* 
  						Thread.currentThread().interrupt();}}
  		
  		public Worker(Channel ch, int nworkers) {
  		```
  			...
  		}
  		protected void activate() {
  				Runnable loop = new Runnable() {
  						public void run() {
  								try {
  									for (;;) {
  										Runnable r = ...;
  										r.run();
  									}
  								}
  								catch (InterruptedException ie) {
  									...
  								}
  						}
  				};
  				new Thread(loop).start();
  		}
  }

Secure code example

Secure C

Also, consider changing the type from 'int' to 'unsigned int', so that you are always guaranteed that the number is positive. This might not be possible if the protocol specifically requires allowing negative values, or if you cannot control the return value from getMessageLength(), but it could simplify the check to ensure the input is positive, and eliminate other errors such as signed-to-unsigned conversion errors (CWE-195) that may occur elsewhere in the code.

Secure C

unsigned int length = getMessageLength(message[0]);
  if ((length > 0) && (length < MAX_LENGTH)) {...}

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-400

Architecture and Design Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Architecture and Design Mitigation of resource exhaustion attacks requires that the target system either: - recognizes the attack and denies that user further access for a given amount of time, or - uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed. The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
Architecture and Design Ensure that protocols have specific limits of scale placed on them.
Implementation Ensure that all failures in resource allocation place the system into a safe posture.

Detection signals

How to detect CWE-400

Automated Static Analysis Limited

Automated static analysis typically has limited utility in recognizing resource exhaustion problems, except for program-independent system resources such as files, sockets, and processes. For system resources, automated static analysis may be able to detect circumstances in which resources are not released after they have expired. Automated analysis of configuration files may be able to detect settings that do not specify a maximum value. Automated static analysis tools will not be appropriate for detecting exhaustion of custom resources, such as an intended security policy in which a bulletin board user is only allowed to make a limited number of posts per day.

Automated Dynamic Analysis Moderate

Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the product within a short time frame.

Fuzzing Opportunistic

While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted product in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause.

Plexicus auto-fix

Plexicus auto-detects CWE-400 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-400?

This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a denial of service.

How serious is CWE-400?

MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.

What languages or platforms are affected by CWE-400?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-400?

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the…

How does Plexicus detect and fix CWE-400?

Plexicus's SAST engine matches the data-flow signature for CWE-400 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-400?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/400.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-400

CWE-664 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Uncontrolled Resource Consumption

What is CWE-400?

Real-world CVEs caused by CWE-400

Step-by-step attacker path

Vulnerable Java

Secure C

How to prevent CWE-400

How to detect CWE-400

Plexicus auto-detects CWE-400 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-400

Improper Control of a Resource Through its Lifetime

Incorrect Access of Indexable Resource ('Range Error')

Creation of Emergent Resource

Improper Preservation of Consistency Between Independent Representations of Shared State

Reliance on Component That is Not Updateable

Information Loss or Omission

Incomplete Internal State Distinction

Improper Resource Shutdown or Release

Insufficient Resource Pool

Further reading

Don't Let Security
Weigh You Down.

Uncontrolled Resource Consumption

What is CWE-400?

Real-world CVEs caused by CWE-400

Step-by-step attacker path

Vulnerable Java

Secure C

How to prevent CWE-400

How to detect CWE-400

Plexicus auto-detects CWE-400 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-400

Improper Control of a Resource Through its Lifetime

Incorrect Access of Indexable Resource ('Range Error')

Creation of Emergent Resource

Improper Preservation of Consistency Between Independent Representations of Shared State

Reliance on Component That is Not Updateable

Information Loss or Omission

Incomplete Internal State Distinction

Improper Resource Shutdown or Release

Insufficient Resource Pool

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.