Function Timeout Abuse
Serverless functions without a configured timeout can be kept running indefinitely by malicious or malformed requests, draining your budget.
How It Works
Cloud providers charge per execution millisecond. Without a timeout, an attacker can send a slow request that keeps your function alive for the maximum platform limit (15 minutes on Lambda). Multiply that by concurrent invocations and you have a denial-of-wallet attack.
// BAD: serverless.yml with no timeout — defaults to 6s on AWS, can be 900s
functions:
api:
handler: src/handler.main
# no timeout configured// GOOD: set a tight timeout appropriate for the function's expected work
functions:
api:
handler: src/handler.main
timeout: 10 # seconds — fail fast if something hangsReal-World Example
A startup reported a $2,300 AWS bill in a single day after a bot started sending slow POST requests that held their Lambda functions open for the full 900-second default timeout.
How to Prevent It
- Set explicit timeouts on every function — never rely on platform defaults
- Set timeouts slightly above your p99 execution time, not the platform maximum
- Enable AWS Lambda Concurrency Limits or equivalent to cap parallel executions
- Set up billing alerts to detect unexpected cost spikes early
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Over-privileged IAM Roles
mediumGiving serverless functions or services more IAM permissions than they need turns a minor breach into a full account compromise.
Environment Variables in Logs
highLogging process.env dumps all your secrets — API keys, database passwords, signing keys — directly into your log system.
Shared /tmp State
mediumServerless functions reuse execution environments between invocations, so sensitive files written to /tmp can be read by later requests from different users.
Cold Start State Leak
mediumGlobal variables in serverless functions persist across invocations in the same execution environment, leaking user data between requests.