Unrestricted Resource Consumption in Node.js (Express) [CVE-2026-39320]

Unrestricted Resource Consumption (URC) vulnerabilities allow attackers to exhaust CPU, memory, or I/O resources by pushing the server into expensive operations. CVE-2026-39320 documents an unauthenticated ReDoS in Signal K Server’s WebSocket subscription handling, where unescaped regex is injected into a stream subscription context. Although the CVE relates to Signal K Server, the same pattern applies to Node.js apps (including those using Express) that dynamically build RegExp objects from untrusted input. The vulnerability is categorized under CWE-400 and CWE-1333, and the fix was introduced in version 2.25.0 of Signal K Server. This real-world example demonstrates how a seemingly harmless subscription parameter can trigger catastrophic backtracking, causing the server CPU to spike and rendering the API surface unresponsive. In Node.js, any code path that constructs a RegExp from user input without proper safeguards can produce the same Denial of Service risk, especially in subscription or streaming workflows where long identifiers are evaluated repeatedly. In practice, an attacker would supply a crafted context value containing regex metacharacters (for example long, nested patterns) via a subscription request. The server then compiles a RegExp from this input and uses it to match or route messages, potentially against very long identifiers. The JavaScript RegExp engine can suffer catastrophic backtracking if the pattern and input interact unfavorably, causing the event loop to spend excessive CPU cycles. When such a vulnerability is present in a WebSocket or streaming path, normal API requests and new socket connections can be delayed or dropped as the process nears resource exhaustion, effectively achieving a DoS. Remediation focuses on mitigating the class of issues by eliminating or safely handling dynamically generated regular expressions. Upgrade to the patched version (e.g., Signal K Server 2.25.0+ as reflected by CVE-2026-39320) and apply defense-in-depth in your Node.js/Express code: avoid constructing RegExp objects from untrusted input, or ensure rigorous escaping or strict whitelisting if you must. Implement input validation, cap the length and complexity of patterns, prefer literal matching or safe alternatives when possible, and enforce per-connection quotas and rate limiting. Additionally, consider backpressure, CPU- and memory-usage monitoring, and targeted tests that simulate pathological inputs to confirm responsiveness remains bounded under load.