Unrestricted Resource Consumption in Ruby on Rails[May 2026] [GHSA-2528-jw5q-ww88]

Unrestricted Resource Consumption (URC) vulnerabilities allow attackers to exhaust a Rails application's CPU, memory, or I/O resources by sending inputs that trigger heavy work or unbounded processing. In production, this can lead to degraded performance, outages, and service-level impact as threads, connections, or workers are consumed by a single malicious request. No CVEs are provided in this guide.\n\nWithin Ruby on Rails, URC often arises when endpoints accept large or unbounded payloads and perform synchronous processing in controllers or models. Examples include processing very large sets of items from params, uploading large files with in-process transforms, or issuing many external requests per item without safeguards. Attackers can send enormous payloads in a single request or flood the system with many concurrent requests.\n\nIndicators include rising response times, out-of-memory errors, spikes in thread or worker pool usage, exhausted database connections, and sudden increases in queue length. Monitoring should track request size, processing duration, memory footprint per request, and the rate of heavy jobs.\n\nRemediation focuses on containment and offloading. Implement input and payload size limits, cap per-request work, and move heavy processing to background jobs with timeouts. Add rate limiting and request-size middleware, sanitize inputs via strong parameters, and test under load to verify URC mitigation.