CVE-2025-70059 in yapi
Summary
by MITRE • 03/09/2026
An issue pertaining to CWE-400: Uncontrolled Resource Consumption was discovered in YMFE yapi v1.12.0 and allows attackers to cause a denial of service.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2025-70059 represents a critical resource consumption flaw within the YMFE yapi platform version 1.12.0, classified under CWE-400 which specifically addresses uncontrolled resource consumption. This vulnerability manifests as a denial of service condition that can be exploited by malicious actors to disrupt the availability of the affected system. The yapi platform, which serves as a collaborative API development and documentation tool, becomes susceptible to resource exhaustion attacks that can render it inaccessible to legitimate users.
The technical implementation of this vulnerability stems from inadequate resource management within the application's processing mechanisms. Attackers can exploit this weakness by crafting specific requests or inputs that trigger excessive consumption of system resources such as memory, cpu cycles, or file descriptors. The flaw likely exists in how the platform handles certain API requests, data processing operations, or concurrent connections without proper bounds checking or resource limiting mechanisms. This uncontrolled resource consumption can lead to system instability, application crashes, or complete service unavailability.
From an operational impact perspective, this vulnerability poses significant risks to organizations relying on yapi for their API development workflows and documentation needs. The denial of service condition can disrupt development cycles, prevent access to critical API information, and potentially impact downstream applications that depend on the documented APIs. The attack surface is particularly concerning as it can be exploited remotely without requiring authentication, making it accessible to any attacker with network access to the affected system. Organizations may experience downtime, reduced productivity, and potential financial losses due to service disruption.
Security professionals should implement immediate mitigations including rate limiting mechanisms, resource consumption monitoring, and input validation controls to prevent exploitation of this vulnerability. The implementation of proper resource management practices, such as setting maximum limits on concurrent connections, request processing time, and memory allocation, can significantly reduce the risk of successful exploitation. Additionally, regular security assessments and penetration testing should be conducted to identify similar vulnerabilities within the application stack. Organizations should also consider implementing network-level protections such as firewalls and intrusion detection systems to monitor for suspicious resource consumption patterns and potential exploitation attempts.
This vulnerability aligns with ATT&CK technique T1499.004 which covers network denial of service attacks, and demonstrates the importance of resource management controls in preventing system-wide availability impacts. The CWE-400 classification emphasizes the need for robust resource handling mechanisms throughout application development lifecycle, particularly in web applications that process user inputs. Organizations should ensure their security controls include monitoring for abnormal resource consumption patterns and implementing automated response mechanisms to mitigate potential exploitation attempts before they can cause significant disruption to service availability.