Fix Unrestricted Resource Consumption in SvelteKit
Unrestricted Resource Consumption (CWE-400) in SvelteKit occurs when server-side routes—specifically API endpoints (+server.js) and Form Actions (+page.server.js)—process user-supplied data without enforcing bounds on execution time, memory, or payload size. In a SvelteKit context, this often manifests as CPU exhaustion via expensive computations or memory leaks from unvalidated bulk operations. If you aren't limiting how much work a single request can trigger, an attacker will DoS your instance with a single loop.
The Vulnerable Pattern
// src/routes/api/generate-report/+server.js export async function POST({ request }) { const { items } = await request.json();// VULNERABILITY: No limit on the 'items' array size. // An attacker sends 1,000,000 items to exhaust CPU/Memory. const processed = items.map(item => { return heavyComputationalTask(item); }); return new Response(JSON.stringify({ processed }));
}
The Secure Implementation
The secure implementation mitigates resource exhaustion through three primary layers. First, it uses a Rate Limiter to prevent automated scripts from spamming the expensive endpoint. Second, it explicitly validates the 'items' array length, ensuring that the computational complexity (O(n)) has a hard ceiling. Third, it references SvelteKit's 'bodySizeLimit' configuration, which should be set in svelte.config.js to prevent the server from even attempting to parse massive JSON payloads before they reach your logic. Always pair these with Zod or similar libraries for strict schema validation.
// src/routes/api/generate-report/+server.js import { error } from '@sveltejs/kit'; import { RateLimiter } from 'sveltekit-rate-limiter/server';const limiter = new RateLimiter({ IP: [20, ‘m’], // Limit to 20 requests per minute per IP IP_UA: [10, ‘m’] });
export async function POST(event) { // 1. Rate Limiting if (await limiter.isLimited(event)) { throw error(429, ‘Rate limit exceeded’); }
const { items } = await event.request.json(); // 2. Input Validation & Bounding if (!Array.isArray(items) || items.length > 50) { throw error(400, 'Too many items. Maximum allowed is 50.'); } const processed = items.map(item => heavyComputationalTask(item)); return new Response(JSON.stringify({ processed }));}
// svelte.config.js - Global payload limit // const config = { // kit: { // bodySizeLimit: ‘512kb’ // } // };
Your SvelteKit API
might be exposed to Unrestricted Resource Consumption
74% of SvelteKit apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.