Unrestricted Resource Consumption in Node.js Express [CVE-1999-1016]

Historically, CVE-1999-1016 described a DoS where the Microsoft HTML control could be forced to burn 100% CPU by large HTML form fields in web pages or HTML emails. The vulnerability arose from how the control rendered or parsed HTML input in IE5, FrontPage Express, Outlook Express 5, and Eudora, among others. In Node.js Express contexts today, unbounded input similarly risks resource exhaustion: oversized JSON or URL-encoded bodies, or large file uploads can cause heavy CPU use or memory pressure during parsing or processing, potentially degrading service availability. Remediation approach includes bounding input, rejecting oversized payloads early, and avoiding CPU-heavy work in request handlers. Use Express body parsers with limits, stream or chunk large uploads, apply rate limiting and timeouts, and validate input before expensive processing; consider background workers for CPU-intensive tasks. The example code below shows the vulnerable pattern and a fixed pattern that implements limits, rate limiting, and upload caps.