CWE · MITRE source
CWE-405Asymmetric Resource Consumption (Amplification)
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (5)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-47 | Alternate Communications Paths | SC | Amplification attacks that exhaust the primary path are mitigated by the existence of an independent alternate path for command traffic. |
SC-5 | Denial-of-service Protection | SC | Employs controls that mitigate amplification attacks causing asymmetric resource use. |
SC-6 | Resource Availability | SC | Limits amplification effects by controlling how resources are allocated under high-volume or recursive load. |
CP-7 | Alternate Processing Site | CP | Reduces impact of amplification attacks that overwhelm the primary site by allowing operations to shift to an equivalent alternate site. |
CP-8 | Telecommunications Services | CP | Alternate services reduce the impact of amplification attacks that exhaust primary telecommunications resources. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-11479 | 2.3 | 7.5 | 0.1336 | 2019-06-19 |
CVE-2025-53633 | 2.0 | 9.8 | 0.0044 | 2025-07-10 |
CVE-2021-38447 | 1.7 | 8.6 | 0.0010 | 2022-05-05 |
CVE-2024-56200 | 1.7 | 8.6 | 0.0022 | 2024-12-19 |
CVE-2024-11187 | 1.7 | 7.5 | 0.0407 | 2025-01-29 |
CVE-2024-45590 | 1.6 | 7.5 | 0.0154 | 2024-09-10 |
CVE-2025-42874 | 1.6 | 7.9 | 0.0005 | 2025-12-09 |
CVE-2018-15492 | 1.5 | 7.5 | 0.0035 | 2018-08-18 |
CVE-2023-2992 | 1.5 | 7.5 | 0.0029 | 2023-06-26 |
CVE-2024-34703 | 1.5 | 7.5 | 0.0020 | 2024-06-30 |
CVE-2024-49363 | 1.5 | 7.4 | 0.0019 | 2024-12-18 |
CVE-2024-55628 | 1.5 | 7.5 | 0.0054 | 2025-01-06 |
CVE-2025-24356 | 1.5 | 7.5 | 0.0041 | 2025-01-27 |
CVE-2025-30204 | 1.5 | 7.5 | 0.0011 | 2025-03-21 |
CVE-2025-22166 | 1.5 | 7.5 | 0.0009 | 2025-10-21 |
CVE-2025-8677 | 1.5 | 7.5 | 0.0008 | 2025-10-22 |
CVE-2025-66506 | 1.5 | 7.5 | 0.0004 | 2025-12-04 |
CVE-2025-66564 | 1.5 | 7.5 | 0.0002 | 2025-12-04 |
CVE-2026-22774 | 1.5 | 7.5 | 0.0002 | 2026-01-15 |
CVE-2026-22775 | 1.5 | 7.5 | 0.0002 | 2026-01-15 |
CVE-2026-0485 | 1.5 | 7.5 | 0.0006 | 2026-02-10 |
CVE-2026-25611 | 1.5 | 7.5 | 0.0006 | 2026-02-10 |
CVE-2025-42876 | 1.4 | 7.1 | 0.0003 | 2025-12-09 |
CVE-2024-40705 | 1.3 | 6.5 | 0.0009 | 2024-08-15 |
CVE-2025-25186 | 1.3 | 6.5 | 0.0014 | 2025-02-10 |