保護DataHogo
Security Encyclopedia/Resource & Size Limits
mediumCWE-400A05:2021

No File Size Limit

File upload endpoints without size limits allow attackers to exhaust disk space, memory, and CPU with multi-gigabyte uploads.

How It Works

Without a file size limit, an attacker can upload a 10GB file to your storage bucket, fill up your /tmp directory, or OOM crash your server by loading the file into memory for processing. Even without malicious intent, a user uploading a raw 4K video to a profile picture endpoint causes the same problem.

Vulnerable Code
// BAD: no file size limit — attacker uploads 10GB files
export const config = { api: { bodyParser: false } };

export default async function handler(req, res) {
  const form = new IncomingForm(); // no maxFileSize set
  const [fields, files] = await form.parse(req);
  await uploadToStorage(files.upload[0]);
}
Secure Code
// GOOD: enforce file size limit before processing
export const config = { api: { bodyParser: false } };

export default async function handler(req, res) {
  const form = new IncomingForm({
    maxFileSize: 5 * 1024 * 1024, // 5MB limit
    maxFiles: 1
  });
  const [fields, files] = await form.parse(req);
  await uploadToStorage(files.upload[0]);
}

Real-World Example

Multiple production servers have been taken offline by file upload DoS attacks where the attacker uploaded multi-GB files that filled the container's writable layer or exhausted Node.js heap memory during image processing.

How to Prevent It

  • Set maxFileSize to the minimum necessary for your use case (5MB for profile photos, 50MB for documents)
  • Validate file size both on the client side (for UX) and on the server side (for security)
  • Also set a maximum number of files per upload request
  • Use cloud storage direct upload (Supabase Storage, S3 presigned URLs) where possible — the file never touches your server

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Request Body Limit

medium

JSON API endpoints without a body size limit can be DoS'd by sending huge JSON payloads that exhaust server memory during parsing.

CWE-400A05:2021

No Global Rate Limiting

medium

Without global rate limiting at the edge or middleware level, any endpoint can be flooded with requests until the server is overwhelmed.

CWE-770A05:2021

No Request Timeout

low

HTTP requests without server-side timeouts allow slow clients or malicious slow-body attacks to hold server connections open indefinitely.

CWE-400A05:2021

WebSocket Without Authentication

high

WebSocket endpoints that accept connections without verifying authentication allow unauthenticated users to receive real-time data streams meant for authenticated users.

CWE-306A01:2021