Unrestricted Resource Consumption in Node.js (Express) [GHSA-v569-hp3g-36wr]

Unrestricted Resource Consumption vulnerabilities in Node.js (Express) occur when applications accept unbounded input or perform resource-intensive work in response to user requests. Attackers can push memory, CPU, or disk resources to the limit by sending oversized payloads, large file uploads, or data that triggers heavy computation. In a single-threaded runtime like Node, even a few such requests can block the event loop, degrade latency for others, or crash the process under constrained hosting. In practice this manifests in Express apps most often through missing input size limits on body parsing or routes that load whole uploads into memory and then loop or compute based on that data. Without safeguards, a single oversized request can exhaust RAM, and many concurrent large requests can saturate CPU, exhausting quotas in cloud or container environments, leading to service outages. Remediation focuses on limiting exposure and offloading work. Enforce strict payload size limits (body parsers, query strings), validate inputs against a schema, avoid synchronous CPU work on untrusted data, and offload heavy processing to workers or queues. Implement streaming for large content and apply rate limiting to cap concurrent resource usage. Drop requests that exceed defined thresholds with 413 responses. Test and monitor changes with load tests and fuzzing, keep dependencies up to date, and consider reverse proxy protections. These steps reduce the risk of DoS from uncontrolled resource use and improve resilience in Node.js (Express) services.