Unrestricted Resource Consumption in Node.js Express [CVE-1999-0967]

Unrestricted Resource Consumption vulnerabilities occur when an application processes unbounded input or performs unbounded work in response to a single request, allowing an attacker to exhaust memory, CPU, or file descriptors. The historic CVE-1999-0967 describes a buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource protocol, illustrating how unsafe handling of resource data can crash a component. While that CVE predates Node.js, it demonstrates how untrusted inputs to resource-handling code can lead to critical failures when there is no bound on what the code will load or process.\n\nIn Node.js with Express, the same class of attack manifests when endpoints accept large payloads (JSON bodies, file uploads, or computational tasks) without enforcing size limits or backpressure. Because Node.js runs on a single event loop, feeding it oversized requests or by performing heavy CPU-bound work in the request path can exhaust memory or stall the event loop, causing service slowdown or outages. This is the practical version of unrestricted resource consumption in modern web servers.\n\nTo mitigate, implement strict input bounds and offload heavy work. The code examples below show how to reuse request-parsing limits, validate and cap inputs, and move heavy processing out of the request path. Tying the defense to CVE-1999-0967 emphasizes that improper resource handling remains a core DoS risk even as architectures evolve.