Overview
Unrestricted Resource Consumption (URC) vulnerabilities let attackers exhaust memory, CPU, or other resources by sending crafted requests that trigger unbounded processing.
In Node.js with Express, URC often arises from unbounded input handling-such as oversized request bodies, or values used to allocate large arrays or perform CPU-heavy work driven by user input. Note: no CVEs are referenced here since none were provided.
Without proper limits, a single bad request or a flood of requests can degrade or crash services, impacting availability for legitimate users.
This guide explains how URC manifests in Express apps and provides Node.js-specific remediation steps and a concrete before/after example.
Code Fix Example
Node.js (Express) API Security Remediation
/* Vulnerable */
const express = require('express');
const app = express();
// No explicit payload size limit; vulnerability arises from unbounded resource creation
app.use(express.json());
app.post('/generate', (req, res) => {
const count = parseInt(req.body.count, 10);
// Unbounded resource consumption: attacker can set a very large count
const items = new Array(count);
for (let i = 0; i < items.length; i++) {
// simulate CPU work
Math.sqrt(i);
}
res.json({ allocated: items.length });
});
/* Fixed */
const expressFixed = require('express');
const appFixed = expressFixed();
appFixed.use(expressFixed.json({ limit: '100kb' }));
const MAX_COUNT = 100000;
appFixed.post('/generate', (req, res) => {
const nRaw = parseInt(req.body.count, 10);
const n = Number.isFinite(nRaw) ? nRaw : 0;
const count = Math.max(0, Math.min(n, MAX_COUNT));
const items = new Array(count);
for (let i = 0; i < items.length; i++) {
Math.sqrt(i);
}
res.json({ allocated: items.length });
});
appFixed.listen(3000, () => console.log('Server listening on port 3000'));