保護DataHogo
Security Encyclopedia/Database Connections
mediumCWE-400

Missing Database Connection Timeout

Your database connection has no timeout configured, so a slow or unresponsive database will hang your entire application indefinitely instead of failing fast.

How It Works

Without connection timeouts, a single slow database query can hold an HTTP request open for minutes, exhausting your server's thread pool or function concurrency limit. If the database becomes unresponsive (network partition, overload), every incoming request hangs, rapidly cascading into a full application outage. Fail-fast behavior — returning an error quickly — is always better than indefinite waiting.

Vulnerable Code
// BAD: no timeouts configured — hangs indefinitely on slow DB
const pool = new Pool({
  connectionString: process.env.DATABASE_URL
  // No connectionTimeoutMillis, no statement_timeout, no query_timeout
});
Secure Code
// GOOD: set timeouts at both pool and query level
const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  connectionTimeoutMillis: 3000, // fail if can't connect in 3s
  statement_timeout: 10000,      // cancel queries running over 10s
  query_timeout: 10000           // client-side query timeout
});

Real-World Example

A popular SaaS app experienced a complete outage when their database replica lag spiked during a migration. Without timeouts, all 500 concurrent requests hung waiting for responses that never came, exhausting Vercel's concurrent execution limit and returning 504s to all users for 20 minutes.

How to Prevent It

  • Set connectionTimeoutMillis (how long to wait for a connection from the pool) to 2-5 seconds
  • Set statement_timeout at the PostgreSQL session level to cancel runaway queries
  • Implement circuit breaker patterns for database calls in critical code paths
  • Use application-level timeouts (AbortController in fetch, Promise.race with a timeout) as a belt-and-suspenders measure
  • Set lock_timeout in PostgreSQL to prevent lock contention from blocking indefinitely

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021