Unrestricted Resource Consumption in Node.js (Express) [GHSA-c73c-x77g-854r]

Unrestricted Resource Consumption vulnerabilities occur when a Node.js (Express) application accepts input or performs work without proper safeguards, allowing memory, CPU, or I/O to be consumed excessively. In production, this can cause service slowdowns, outages, higher hosting costs, or degraded performance for legitimate users. Attackers can exploit unbounded computations, large payloads, or streaming patterns to exhaust resources quickly. This guide describes how these issues manifest in Node.js/Express and how to remediate them. In Express apps, common patterns include accepting large JSON bodies without a size limit, building large in-memory structures from user input, or streaming data without backpressure. If the event loop is tied up with CPU-heavy tasks or memory usage grows unchecked, concurrent requests suffer and latency spikes occur. Frameworks and middleware can inadvertently amplify risk if not configured securely. Remediation combines input validation, resource caps, and architectural safeguards. Enable strict body size limits, bound inputs that influence allocations, apply rate limiting, offload heavy work to queues, and stream large outputs instead of buffering. Monitor memory and provide meaningful error handling and alerts to detect anomalies early. Note: No CVE IDs are provided in this guide; focus is on general, repeatable mitigation patterns for Unrestricted Resource Consumption in Node.js (Express).