# Request Size Limits in Express.js

- ID: javascript-express-request-size-limits
- Severity: MEDIUM
- CWE: Allocation Without Limits (CWE-770)
- Languages: JavaScript, TypeScript
- Frameworks: express

## Description

Detects missing or inadequate request size limits in Express.js applications.

Without request size limits:
1. Attackers can send large payloads to exhaust server memory (DoS)
2. Disk space can be filled with uploaded content
3. JSON parsing of large payloads blocks the event loop
4. Server resources can be exhausted processing oversized requests

Different content types need different limits:
- JSON payloads are more dangerous (blocking parsing)
- File uploads may legitimately need larger limits
- URL-encoded data should be limited

## Detection Message

Body parser without size limit: {code}
Without request size limits, attackers can send oversized payloads causing memory exhaustion (DoS).


## Remediation

Add size limits to body parser middleware:

For JSON:      app.use(express.json({ limit: '100kb' }));
For forms:     app.use(express.urlencoded({ extended: true, limit: '100kb' }));
For raw data:  app.use(express.raw({ limit: '1mb' }));

Choose appropriate limits based on your API requirements.

## Documentation

[object Object]

## Related Rules

- **Prisma Unbounded Relation Loading** [MEDIUM]: 
- **Missing API Rate Limiting** [MEDIUM]: