Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Client Balance component
AnalysisAI
Denial of service via improper resource handling in the Client Balance component of Hostbill v.2025-11-24 and v.2025-12-01 allows high-privileged remote attackers to disrupt service availability and trigger limited integrity impacts. The vulnerability stems from insufficient input validation in CWE-400 (Uncontrolled Resource Consumption), requiring administrator-level access but presenting moderate real-world risk due to the low attack complexity and network accessibility of the affected component.
Technical ContextAI
The vulnerability resides in Hostbill's Client Balance component, a critical billing and account management feature. CWE-400 (Uncontrolled Resource Consumption / 'Billion Laughs') indicates improper handling of resource allocation-typically involving unbounded loops, excessive memory allocation, or uncontrolled object creation triggered by crafted input. The Client Balance component likely processes financial transactions and account metadata without proper bounds checking. The network-accessible attack vector (AV:N) combined with low attack complexity (AC:L) suggests the vulnerable endpoint accepts remote HTTP/API requests, but the requirement for high privileges (PR:H) limits exposure to admin accounts or authenticated backend processes. The integrity impact (I:L) alongside availability loss suggests partial data modification may accompany the denial of service, such as balance corruption.
RemediationAI
Apply the patched version released after 2025-12-01 as documented in the Hostbill security advisory at https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/. The exact fix version is not specified in available data; contact Hostbill support or consult their release notes for the current patched build. Until patching is feasible, implement the following compensating controls: (1) Restrict administrator access to the Client Balance component via role-based access control (RBAC) - limit admin privileges to only necessary users and segregate billing administration from general system administration; this reduces the attack surface by minimizing high-privilege accounts. (2) Monitor Client Balance API and component access logs for anomalous resource consumption patterns, such as repeated rapid requests or unusually large batch operations that may indicate exploitation attempts. (3) Implement rate limiting on Client Balance endpoints at the reverse proxy or API gateway layer to prevent resource exhaustion, with trade-off of potential blocking of legitimate bulk operations. (4) Disable or restrict access to the Client Balance component from untrusted networks, leaving it accessible only from internal staff or whitelisted IPs. Note that these controls do not eliminate the vulnerability but reduce feasibility and detectability of attacks. Patch as soon as available.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25423
GHSA-m9pp-9784-85qg