保護DataHogo
Security Encyclopedia/Resource & Size Limits
mediumCWE-400A05:2021

No Request Body Limit

JSON API endpoints without a body size limit can be DoS'd by sending huge JSON payloads that exhaust server memory during parsing.

How It Works

Node.js's body parsing middleware (express.json, Next.js bodyParser) loads the entire request body into memory before parsing. Without a size limit, an attacker sends a 100MB JSON request. The server tries to parse it, allocates 100MB+ of memory, and may crash or become unresponsive. Repeat across multiple concurrent connections for full DoS.

Vulnerable Code
// BAD: no body size limit — attacker sends 100MB JSON body
// next.config.ts
export default {
  // no bodyParser size limit configured — defaults to 1MB in Next.js
  // but if disabled or custom: unlimited
};

// Or in Express with no limit:
app.use(express.json()); // default is 100kb, but often overridden to unlimited
Secure Code
// GOOD: explicit body size limits
// next.config.ts — override default per route if needed
export const config = {
  api: {
    bodyParser: {
      sizeLimit: '1mb' // explicit limit — adjust per endpoint
    }
  }
};
// For Express:
app.use(express.json({ limit: '100kb' }));

Real-World Example

Express applications with bodyParser configured to accept unlimited request bodies have been used as amplifiers in DoS attacks. A single attacker machine sending 10 concurrent 50MB requests can cause a Node.js server to allocate 500MB+ and crash.

How to Prevent It

  • Set an explicit body size limit on all JSON endpoints (1MB is usually sufficient for API payloads)
  • Use different limits for different endpoint types: 100KB for auth, 1MB for general API, 10MB for bulk operations
  • Validate the Content-Length header before reading the body to reject oversized requests early
  • Reject requests with no Content-Length header on endpoints that expect a body

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No File Size Limit

medium

File upload endpoints without size limits allow attackers to exhaust disk space, memory, and CPU with multi-gigabyte uploads.

CWE-400A05:2021

No Global Rate Limiting

medium

Without global rate limiting at the edge or middleware level, any endpoint can be flooded with requests until the server is overwhelmed.

CWE-770A05:2021

No Request Timeout

low

HTTP requests without server-side timeouts allow slow clients or malicious slow-body attacks to hold server connections open indefinitely.

CWE-400A05:2021

WebSocket Without Authentication

high

WebSocket endpoints that accept connections without verifying authentication allow unauthenticated users to receive real-time data streams meant for authenticated users.

CWE-306A01:2021