#denial-of-service

#denial-of-service

We also patched two potential denial-of-service vulnerabilities when handling large, malformed inputs. One exploits inefficient string concatenation in header parsing under ASGI ( CVE 2025-14550). Concatenating strings in a loop is known to be slow, and we've done fixes in public where the impact is low. The other one ( CVE 2026-1285) exploits deeply nested entities. December's vulnerability in the XML serializer ( CVE 2025-64460) was about those very two themes.

Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability, A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to Denial-of-Service attacks.

Tracked as CVE-2025-43400, the security defect is described as an out-of-bounds write issue in the operating system's FontParser component that could lead to a denial-of-service (DoS) condition or memory corruption. "Processing a maliciously crafted font may lead to unexpected app termination or corrupt process memory," Apple explains. According to advisories from the Hong Kong CERT and Akaoma Cybersecurity, the vulnerability can be exploited remotely, without privileges, although user interaction is required.

Citrix warns of a critical vulnerability in NetScaler devices (CVE-2025-6543) leading to denial-of-service attacks, urging immediate updates to mitigate risks.