Unrestricted Resource Consumption

Unrestricted Resource Consumption in Node.js (Express) [CVE-2026-4539]

[Updated Mar 2026] Updated CVE-2026-4539

Overview

Unrestricted Resource Consumption vulnerabilities allow an attacker to exhaust CPU, memory, or other resources by sending crafted input that triggers expensive processing. CVE-2026-4539 describes a Python-based vulnerability in pygments up to version 2.19.2 where a crafted regular expression caused inefficient backtracking and high CPU usage, enabling local denial-of-service. This is categorized under CWE-400 (Unrestricted Resource Consumption) and CWE-1333, highlighting the risk of consuming resources through unsafe patterns. Although this CVE is in a Python project, the underlying pattern-unbounded resource consumption from untrusted input-translates directly to Node.js/Express when processing user-supplied patterns or large payloads. In Node.js, a route that compiles or applies a user-provided regex to a large dataset can exhaust CPU and impact other requests if protections are not in place. The risk is particularly acute in single-process deployments common to Node.js applications, where a single attacker could impact multiple users.

Code Fix Example

Node.js (Express) API Security Remediation 
// Vulnerable and fixed examples for a simple search endpoint in Node.js/Express.

const express = require('express');
const app = express();
const port = 3000;

// Simulated large text for search
const largeText = 'A'.repeat(1000000) + ' ' + 'end of data';

function escapeRegExp(string) {
  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

// Vulnerable: accepts a client-supplied regex and applies it to a large string
app.get('/search', (req, res) => {
  const q = req.query.q;
  if (!q) return res.status(400).send('missing q');
  try {
    // Potentially catastrophic: untrusted user pattern used to build RegExp
    const re = new RegExp(q, 'i');
    const matches = largeText.match(re) || [];
    res.json({ count: matches.length });
  } catch (err) {
    res.status(400).send('invalid pattern');
  }
});

// Safe/fixed: treat client input as literal, apply strict validation, and use escaping
app.get('/search-fixed', (req, res) => {
  const q = req.query.q;
  if (!q || q.length > 32) return res.status(400).send('invalid');
  // Escape to perform literal substring search, preventing regex-based backtracking
  const safe = new RegExp(escapeRegExp(q), 'i');
  const matches = largeText.match(safe) || [];
  res.json({ count: matches.length });
});

app.listen(port, () => console.log(`Listening on ${port}`));

CVE References

More Node.js (Express) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.