CWE-405 Class Incomplete

Asymmetric Resource Consumption (Amplification)

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The…

Definition

What is CWE-405?

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.

This flaw often leads to performance degradation or denial-of-service through resource 'amplification,' where resource use scales non-linearly. A small, malicious request can force the system to perform complex computations, generate massive data outputs, or spawn excessive processes, overwhelming its capacity. This risk is significantly higher if access controls are weak, allowing low-privilege users or external attackers to consume resources far beyond their intended limits. To prevent this, developers must design systems where the cost of triggering an operation is proportional to the resources consumed, and enforce strict quotas and authorization checks at all access levels.

Real-world impact

Real-world CVEs caused by CWE-405

CVE-1999-0513

Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
CVE-2003-1564

Parsing library allows XML bomb
CVE-2004-2458

Tool creates directories before authenticating user.
CVE-2020-10735

Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243

server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2013-5211

composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
CVE-2002-20001

Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
CVE-2022-40735

The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.

How attackers exploit it

Step-by-step attacker path

1
This code listens on a port for DNS requests and sends the result to the requesting address.
2
This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
3
This function prints the contents of a specified file requested by a user.
4
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
5
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Vulnerable code example

Vulnerable Python

This code listens on a port for DNS requests and sends the result to the requesting address.

Vulnerable Python

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.bind( (UDP_IP,UDP_PORT) )
  while true:
  		data = sock.recvfrom(1024)
  		if not data:
  			break
  		(requestIP, nameToResolve) = parseUDPpacket(data)
  		record = resolveName(nameToResolve)
  		sendResponse(requestIP,record)

Attacker payload

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Attacker payload XML

<?xml version="1.0"?>
  <!DOCTYPE MaliciousDTD [
  <!ENTITY ZERO "A">
  <!ENTITY ONE "&ZERO;&ZERO;">
  <!ENTITY TWO "&ONE;&ONE;">
  ...
  <!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
  ]>
  <data>&THIRTYTWO;</data>

Secure code example

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Secure JavaScript

var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-405

Architecture and Design An application must make resources available to a client commensurate with the client's access level.
Architecture and Design An application must, at all times, keep track of allocated resources and meter their usage appropriately.
System Configuration Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.

Detection signals

How to detect CWE-405

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-405 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-405?

How serious is CWE-405?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-405?

MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific, Client Server.

How can I prevent CWE-405?

An application must make resources available to a client commensurate with the client's access level. An application must, at all times, keep track of allocated resources and meter their usage appropriately.

How does Plexicus detect and fix CWE-405?

Plexicus's SAST engine matches the data-flow signature for CWE-405 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-405?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/405.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-405

CWE-400 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Get started free Book a demo

Asymmetric Resource Consumption (Amplification)

What is CWE-405?

Real-world CVEs caused by CWE-405

Step-by-step attacker path

Vulnerable Python

Secure JavaScript

How to prevent CWE-405

How to detect CWE-405

Plexicus auto-detects CWE-405 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-405

Uncontrolled Resource Consumption

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

Improper Write Handling in Limited-write Non-Volatile Memories

Allocation of Resources Without Limits or Throttling

Missing Reference to Active Allocated Resource

Logging of Excessive Data

Improper Restriction of Power Consumption

Excessive Platform Resource Consumption within a Loop

Data Resource Access without Use of Connection Pooling

Further reading

Don't Let Security
Weigh You Down.

Asymmetric Resource Consumption (Amplification)

What is CWE-405?

Real-world CVEs caused by CWE-405

Step-by-step attacker path

Vulnerable Python

Secure JavaScript

How to prevent CWE-405

How to detect CWE-405

Plexicus auto-detects CWE-405 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-405

Uncontrolled Resource Consumption

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

Improper Write Handling in Limited-write Non-Volatile Memories

Allocation of Resources Without Limits or Throttling

Missing Reference to Active Allocated Resource

Logging of Excessive Data

Improper Restriction of Power Consumption

Excessive Platform Resource Consumption within a Loop

Data Resource Access without Use of Connection Pooling

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.