保護DataHogo
Security Encyclopedia/Database Connections
mediumCWE-400

No Connection Pool Limits

Your database connection pool has no max connection limit, meaning a traffic spike or slow query can exhaust all available database connections and take your app down.

How It Works

PostgreSQL has a finite number of connections it can handle (default: 100). If your app creates a new connection pool per serverless function invocation (common in Next.js on Vercel) without limits, a traffic spike can open hundreds of connections simultaneously, exhausting PostgreSQL's limit and returning 'too many connections' errors to all users. This is a classic DoS via resource exhaustion.

Vulnerable Code
// BAD: pool with no max connection limit
const pool = new Pool({
  connectionString: process.env.DATABASE_URL
  // No max — defaults to unlimited, will exhaust Postgres at scale
});
Secure Code
// GOOD: set explicit pool limits appropriate for your deployment
const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  max: 10,                  // max simultaneous connections per pool
  idleTimeoutMillis: 30000, // close idle connections after 30s
  connectionTimeoutMillis: 2000 // fail fast if can't get a connection
});

Real-World Example

Serverless deployments on Vercel/Netlify are especially prone to this. Each function instance creates its own pool. Under load, 50 function instances each with a 20-connection pool = 1000 connections, instantly exceeding PostgreSQL's default max_connections. The solution is a connection pooler like PgBouncer or Supabase's built-in pooler.

How to Prevent It

  • Always set a max pool size — for serverless, keep it low (1-5 per function instance) and use a connection pooler
  • Use PgBouncer or Supabase's connection pooler in transaction mode for serverless deployments
  • Set idleTimeoutMillis to reclaim unused connections quickly
  • Monitor active database connections in your metrics — a spike is an early warning
  • Set max_connections in postgresql.conf based on your instance size and expected connection count

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Unencrypted Database Connection

high

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

CWE-319OWASP A02:2021

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021