Since you mention this may be a security vulnerability (potential denial of service attack) in a supported release, I've switched the bug from public to public security and added an OSSA task in case it warrants an advisory.
Since you mention this may be a security vulnerability (potential denial of service attack) in a supported release, I've switched the bug from public to public security and added an OSSA task in case it warrants an advisory.