Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.
Verbreitung
Hoch
Häufig ausgenutzt
Auswirkung
Mittel
Review empfohlen
Prävention
Dokumentiert
8 Fix-Beispiele
2 Prävention
2 Prävention
So behebst du diese Schwachstelle
Präventionsstrategien für Resource Exhaustion basierend auf 8 Shoulder-Erkennungsregeln.
LLM Denial of Service
MEDIUM
Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls
func handler(w http.ResponseWriter, r *http.Request) { var req ChatRequest json.NewDecoder(r.Body).Decode(&req) - resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ - Model: "gpt-4", - Messages: []openai.ChatCompletionMessage{{Content: req.Message}}, + + message := req.Message + if len(message) > 2000 { + message = message[:2000] + } + + ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second) + defer cancel() + + resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ + Model: "gpt-4", + Messages: []openai.ChatCompletionMessage{{Content: message}}, + MaxTokens: 500, }) json.NewEncoder(w).Encode(resp) }
Missing Request Size Limits
MEDIUM
Use http.MaxBytesReader to limit request body size before reading
func handler(w http.ResponseWriter, r *http.Request) { - body, _ := io.ReadAll(r.Body) + r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) + body, err := io.ReadAll(r.Body) + if err != nil { + http.Error(w, "Request too large", 413) + return + } process(body) }
Denial of Service via Resource Exhaustion
MEDIUM
Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes
func process(items []string) { - for _, item := range items { - go func(i string) { + sem := make(chan struct{}, 100) + for _, item := range items { + sem <- struct{}{} + go func(i string) { + defer func() { <-sem }() expensiveOperation(i) }(item) } }
JavaScript
Alle anzeigen JavaScript Details →
LLM Denial of Service
MEDIUM
Set max_tokens limits and validate input length before LLM API calls
- const response = await openai.chat.completions.create({ - model: 'gpt-4', - messages: [{ role: 'user', content: req.body.message }] + const message = req.body.message.substring(0, 2000); + const response = await openai.chat.completions.create({ + model: 'gpt-4', + messages: [{ role: 'user', content: message }], + max_tokens: 500 });
Denial of Service via Unbounded Child Processes
MEDIUM
Configure timeout and maxBuffer for child process execution to prevent resource exhaustion
- const { stdout } = await execPromise(`ping -c 4 ${domain}`); + const { stdout } = await execPromise(`ping -c 4 ${domain}`, { + timeout: 5000, + maxBuffer: 1024 * 100 + });
Kubernetes
Alle anzeigen Kubernetes Details →
Missing Resource Limits
MEDIUM
Define CPU and memory resource limits to prevent resource exhaustion and denial of service
apiVersion: v1 kind: Pod spec: containers: - name: app image: nginx:1.25 - ports: - - containerPort: 80 + resources: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "256Mi" + cpu: "500m"
LLM Denial of Service
MEDIUM
Set max_tokens limits, validate input length, and configure timeouts for LLM API calls
- @app.route('/chat', methods=['POST']) - def chat(): - response = openai.chat.completions.create( - model='gpt-4', - messages=[{'role': 'user', 'content': request.json['message']}] + MAX_INPUT_LENGTH = 2000 + MAX_OUTPUT_TOKENS = 500 + + @app.route('/chat', methods=['POST']) + def chat(): + message = request.json['message'][:MAX_INPUT_LENGTH] + response = openai.chat.completions.create( + model='gpt-4', + messages=[{'role': 'user', 'content': message}], + max_tokens=MAX_OUTPUT_TOKENS, + timeout=30 ) return jsonify(response.choices[0].message.content)
Resource Exhaustion / Denial of Service
MEDIUM
Set size limits on file reads, bound loop iterations, and add timeouts
- from flask import request - - @app.route('/upload', methods=['POST']) - def upload(): - content = request.files['file'].read() + from flask import Flask, request + + app = Flask(__name__) + app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 # 10 MB + + @app.route('/upload', methods=['POST']) + def upload(): + content = request.files['file'].read(10 * 1024 * 1024) return process(content)
3 Erkennung
3 Erkennung
Finden Sie Schwachstellen in Ihrem Code
Verwenden Sie Shoulder, um Ihren Code nach Uncontrolled Resource Consumption-Mustern zu scannen. 8 Regeln.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=400 # Or scan entire project npx @shoulderdev/cli trust .
Erkennungsregeln (8)
🐹
Go
3 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service.
Missing Request Size Limits
MEDIUM
Request body read without size limit using ioutil.ReadAll or io.ReadAll.
Denial of Service via Resource Exhaustion
MEDIUM
Unbounded goroutines, missing timeouts, or unchecked allocations from user input.
🟨
Javascript
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses
NOTE: Rate limiting is covered separately by the Express rate-limiting
Denial of Service via Unbounded Child Processes
MEDIUM
Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion
This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
🔷
Typescript
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses
NOTE: Rate limiting is covered separately by the Express rate-limiting
Denial of Service via Unbounded Child Processes
MEDIUM
Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion
This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
🐍
Python
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
NOTE: Rate limiting is covered separately by framework-specific rate-limiting rules.
Resource Exhaustion / Denial of Service
MEDIUM
Detects operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large files into memory, recursive operations without
depth limits, or missing timeouts. These can lead to memory exhaustion or CPU
starvation (DoS).
4 Warnzeichen
4 Warnzeichen
Worauf bei Code-Reviews zu achten ist
Diese Muster weisen auf potenzielle Uncontrolled Resource Consumption-Schwachstellen hin. Achten Sie bei Code-Reviews und Sicherheitsaudits darauf.
LLM API call lacks resource limits
go-llm-denial-of-service
AI/LLM API calls lacking token limits or input validation that could enable denial of service
go-llm-denial-of-service
Unbounded resource usage can lead to DoS
go-resource-exhaustion
AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks
javascript-llm-denial-of-service
child process execution (exec, spawn) without proper resource limits
javascript-unbounded-exec-dos
Container is missing resource limits.
kubernetes-missing-resource-limits
containers missing resource limits
kubernetes-missing-resource-limits
operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large f
python-resource-exhaustion
Scanne deine Codebasis nach Uncontrolled Resource Consumption
Shoulder CLI findet anfällige Muster in deiner gesamten Codebasis.