Allocation of Resources Without Limits or Throttling Affecting kubescape package, versions <4.0.10-r2


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KUBESCAPE-17803427
  • published3 Jul 2026
  • disclosed17 Jul 2026

Introduced: 3 Jul 2026

NewCVE-2026-49835  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade Minimos:latest kubescape to version 4.0.10-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kubescape package and not the kubescape package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.