CWE-400 Uncontrolled Resource Consumption
Coverage: 15 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3Other-pattern 12 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged code where untrusted input can cause excessive CPU, memory, disk, or network usage (unbounded loops, huge payloads, expensive regex, uncontrolled concurrency).
Why it matters
Resource exhaustion can cause denial of service.
- Availability incidents: slowdowns, timeouts, crashes.
- Cost blowups: high cloud bills from abusive traffic or expensive operations.
- Often exploitable without authentication if the endpoint is public.
Safer examples
1) Enforce request and payload limits
Add max request body sizes, max file sizes, and max list lengths (see INPUT01/02).
2) Add timeouts and backpressure
- Timeouts for external calls and expensive operations
- Concurrency limits / queues for expensive jobs
3) Add rate limits and quotas
Use per-IP/per-user throttling and quotas (see RATE01/02).
How SiteShadow detects it (high level)
- Flags missing size limits around parsing, uploads, and untrusted loops.
- Detects expensive patterns (e.g., catastrophic regex risk, uncontrolled fanout) in request-handling contexts.
References
- CWE-400: https://cwe.mitre.org/data/definitions/400.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.