Unrestricted Resource Consumption in Node.js (Express) [CVE-2026-41680]

Unrestricted Resource Consumption vulnerability can lead to denial of service in Node.js Express apps. Attackers can overwhelm a service by sending large payloads, causing massive in-memory processing or exhausting file descriptors through sustained requests. When the event loop or the V8 heap expands, legitimate users experience high latency or timeouts while the service struggles. In cloud deployments, memory pressure can trigger restarts or autoscaling delays, amplifying outages. In Express, this class of vulnerability typically manifests when input handling, file uploads, or CPU-intensive work occur without clear limits. Examples include parsing unbounded JSON bodies, accepting massive URL-encoded payloads, performing synchronous I/O or CPU-heavy computations on the main thread, or failing to rate-limit concurrent requests. Attackers can exploit these patterns to drive up CPU and memory usage, starving other requests. To mitigate, explicitly bound resource use at the boundary: cap body sizes, implement rate limits, stream large inputs instead of buffering, and offload heavy work to workers. Use safe parsing and validate inputs, and profile the app under load. Combine these with monitoring, process isolation, and sane deployment limits to prevent unrestricted resource consumption from bringing down the service.