GuardAPI Logo
GuardAPI

Fix Unrestricted Resource Consumption in Express

Unrestricted Resource Consumption (CWE-400) in Express.js allows attackers to trigger Denial of Service (DoS) by exhausting CPU, memory, or disk space. This usually happens through unbounded file uploads, massive JSON payloads, or request flooding. If you aren't limiting the intake, you're inviting a crash.

The Vulnerable Pattern

const express = require('express');
const app = express();

// VULNERABLE: No global rate limiting
// VULNERABLE: Body parser has no size limit (default is often too large or unset)
app.use(express.json());


app.post(‘/api/data’, (req, res) => {
// Processing uncontrolled input sizes can crash the event loop
console.log(req.body);
res.send(‘Processed’);
});


app.listen(3000);

The Secure Implementation

To harden Express against resource exhaustion, apply a three-tier defense: First, use 'express-rate-limit' to throttle IPs and prevent brute-force or flooding. Second, explicitly pass a 'limit' option to your body-parsing middleware (express.json, express.urlencoded) to reject massive payloads before they hit your logic. Third, configure 'server.setTimeout' to ensure that slow-loris style attacks or hung sockets don't keep worker threads occupied indefinitely.

const express = require('express');
const rateLimit = require('express-rate-limit');
const app = express();

// 1. Implement Rate Limiting to prevent request flooding
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
message: ‘Too many requests, please try again later.’
});
app.use(limiter);


// 2. Enforce strict payload size limits
app.use(express.json({ limit: ‘10kb’ }));
app.use(express.urlencoded({ extended: true, limit: ‘10kb’ }));


app.post(‘/api/data’, (req, res) => {
res.status(200).json({ status: ‘success’ });
});


// 3. Set server timeouts to reap hung connections
const server = app.listen(3000);
server.setTimeout(5000);

System Alert • ID: 6017
Target: Express API
Potential Vulnerability

Your Express API might be exposed to Unrestricted Resource Consumption

74% of Express apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X