Fix Unrestricted Resource Consumption in ElysiaJS

Unrestricted Resource Consumption in ElysiaJS is a high-impact DoS vector. Because Bun is designed for extreme throughput, an unprotected endpoint can be weaponized to exhaust heap memory or pin the event loop via oversized payloads and request flooding. To harden an Elysia instance, you must enforce strict ingress limits and throttle high-frequency abuse.

The Vulnerable Pattern

import { Elysia } from 'elysia';
const app = new Elysia()
// VULNERABLE: No body limit and no rate limiting.
// An attacker can send a multi-gigabyte payload to crash the process.
.post(‘/data’, ({ body }) => {
console.log(body);
return { success: true };
})
.listen(3000);

The Secure Implementation

The fix targets two primary exhaustion vectors: Memory and CPU. By setting 'bodyLimit' in the Elysia constructor, we instruct the underlying Bun server to reject payloads exceeding 1MB before they are fully buffered into memory. The 'elysia-rate-limit' middleware mitigates distributed or single-source flooding by tracking request frequency per IP, ensuring that the high-concurrency capabilities of Bun aren't turned against the infrastructure to cause service degradation.

import { Elysia } from 'elysia';
import { rateLimit } from 'elysia-rate-limit';
const app = new Elysia({
// SECURE: Enforce a global 1MB body limit at the constructor level
bodyLimit: 1024 * 1024
})
// SECURE: Implement rate limiting to prevent event loop starvation
.use(rateLimit({
max: 50,
duration: 60000,
errorResponse: new Response(‘Rate limit exceeded’, { status: 429 })
}))
.post(‘/data’, ({ body }) => {
return { success: true };
})
.listen(3000);