Unrestricted Resource Consumption

Unrestricted Resource Consumption in Node.js (Express) [GHSA-w3x6-4m5h-cxqf]

[Updated Apr 2026] Updated GHSA-w3x6-4m5h-cxqf

Overview

Unrestricted Resource Consumption (URC) can cause DoS by exhausting CPU, memory, or I/O capacity. In real-world Node.js (Express) deployments, attackers may send oversized JSON bodies, large file uploads, or craft inputs that trigger expensive computations, causing latency spikes or outages for legitimate users. When coupled with insufficient safeguards, this class of vulnerability can lead to degraded service, increased operational costs, or application crashes under load. No CVEs were provided for this general guidance, but the patterns described reflect well-known URC risks in Express-based apps and are commonly mitigated in practice.

Code Fix Example

Node.js (Express) API Security Remediation 
const express = require('express');
const app = express();

// Vulnerable pattern (no payload size limit, potential CPU-heavy processing)
app.use(express.json());
app.post('/process/vuln', (req, res) => {
  const input = req.body;
  // Simulate CPU-heavy work based on input size
  const iterations = Math.max(1000000, Number(input.n) || 1000000);
  let sum = 0;
  for (let i = 0; i < iterations; i++) sum += i;
  res.json({ ok: true, iterations });
});

// Fixed pattern (limits, rate limiting, input validation, and safer workflow)
const rateLimit = require('express-rate-limit');

// Apply limits for the fixed path only
app.use('/process/fixed', express.json({ limit: '100kb' }), express.urlencoded({ extended: true, limit: '100kb' }));
const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, message: 'Too many requests from this client, please try again later.' });
app.use('/process/fixed', limiter);

app.post('/process/fixed', (req, res) => {
  const input = req.body;
  if (!input || (input.n !== undefined && isNaN(Number(input.n)))) {
    return res.status(400).json({ error: 'Invalid input' });
  }
  const n = Math.max(1, Number(input.n) || 1);
  // Cap CPU-heavy work to a safe upper bound to prevent abuse
  const iterations = Math.min(1000000, n * 1000);
  let sum = 0;
  for (let i = 0; i < iterations; i++) sum += i;
  res.json({ ok: true, iterations });
});

app.listen(3000, () => console.log('URC demo listening on port 3000'));

CVE References

More Node.js (Express) API Security Remediation Guides

View all →

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.