# LLM Denial of Service

- ID: javascript-llm-denial-of-service
- Severity: MEDIUM
- CWE: Resource Exhaustion (CWE-400)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.

DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability

This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses

NOTE: Rate limiting is covered separately by the Express rate-limiting rule.
See: rules/javascript/projects/express/security/rate-limiting.yaml

## Detection Message

LLM API call lacks resource limits ({issue_type})

## Remediation

Set max_tokens limits and validate input length before LLM calls.

```javascript
const response = await openai.chat.completions.create({
  model: 'gpt-4',
  messages: [{ role: 'user', content: message.substring(0, 2000) }],
  max_tokens: 500
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-400/llm-denial-of-service

## Documentation

[object Object]

## Related Rules

- **LLM Denial of Service** [MEDIUM]: 
- **Missing Request Size Limits** [MEDIUM]: 
- **Denial of Service via Resource Exhaustion** [MEDIUM]: 
- **Denial of Service via Unbounded Child Processes** [MEDIUM]: 
- **Missing Resource Limits** [MEDIUM]: