Fix Unrestricted Resource Consumption in Quarkus
Quarkus is built for speed, but speed without bounds is a DoS waiting to happen. Unrestricted Resource Consumption (CWE-400) occurs when your endpoints ingest data or spawn processes without strict limits on memory, CPU, or file descriptors. In a reactive environment, failing to bound inputs allows an attacker to saturate the Netty event loop or trigger OutOfMemory (OOM) errors by sending massive payloads or high-frequency requests.
The Vulnerable Pattern
package com.security.poc;import jakarta.ws.rs.*; import java.util.List;
@Path(“/v1/data”) public class InsecureResource { @POST @Path(“/upload”) public void processData(Listinputs) { // VULNERABILITY: No limit on the ‘inputs’ list size. // An attacker can send a JSON array with millions of strings, // causing the JVM to heap-exhaust and crash. inputs.forEach(System.out::println); } }
The Secure Implementation
To harden Quarkus against resource exhaustion, you must implement defense-in-depth: 1. Netty Level: Set 'quarkus.http.limits.max-body-size' in your properties to reject massive HTTP payloads before they are even parsed. 2. Validation Layer: Use Jakarta Bean Validation (@Size, @Max) to bound the size of collections and strings in your DTOs. 3. Concurrency Control: Use SmallRye Fault Tolerance annotations like @Bulkhead to limit the number of concurrent requests to expensive endpoints and @RateLimit to throttle abusive clients. 4. Memory Management: If processing streams, use Mutiny's backpressure operators to ensure you don't buffer more data than the consumer can handle.
/* application.properties: quarkus.http.limits.max-body-size=1M */package com.security.secure;
import jakarta.ws.rs.*; import jakarta.validation.constraints.Size; import org.eclipse.microprofile.faulttolerance.Bulkhead; import org.eclipse.microprofile.faulttolerance.RateLimit; import java.time.temporal.ChronoUnit; import java.util.List;
@Path(“/v1/data”) public class SecureResource { @POST @Path(“/upload”) @RateLimit(value = 50, window = 1, windowUnit = ChronoUnit.MINUTES) @Bulkhead(value = 5) public void processData(@Size(max = 100) Listinputs) { // FIXED: // 1. @Size(max = 100) enforces a limit on the collection size. // 2. @RateLimit prevents API flooding. // 3. @Bulkhead limits concurrent executions to prevent thread starvation. inputs.forEach(System.out::println); } }
Your Quarkus API
might be exposed to Unrestricted Resource Consumption
74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.