Unrestricted Resource Consumption in Node.js (Express) Guide [GHSA-qrpw-gjvh-x5gm]

Unrestricted resource consumption vulnerabilities in Node.js and Express occur when a server processes untrusted input without sane bounds. Attackers can flood an API with large payloads or CPU-intensive tasks, exhausting memory, blocking the event loop, and causing degraded performance or outages for legitimate users. In practice, this leads to slow responses, worker crashes, and the need for restarts or autoscaling during peak load. These issues often arise with body parsing and streaming: no size limits on JSON or URL-encoded bodies, or in-memory handling of large uploads and requests. In Express, using middleware such as express.json() or express.urlencoded() without bounds, or performing heavy computation on req.body, can cause rapid memory growth under load and enable denial-of-service conditions. Note: No CVEs are provided in this guide. Mitigation focuses on applying sensible limits, streaming where possible, and enforcing rate control. Implement safeguards such as small body size limits, streaming-based processing, per-request timeouts, and rate limiting. Validate inputs, offload heavy work, and monitor resource usage to detect anomalies early. The remediation steps below guide concrete changes for Node.js (Express) projects.