Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service.
Prevalence
High
Frequently exploited
Impact
Medium
Review recommended
Prevention
Documented
8 fix examples
2 Prevention
2 Prevention
How to fix this vulnerability
Prevention strategies for Resource Exhaustion based on 8 Shoulder detection rules.
LLM Denial of Service
MEDIUM
Set MaxTokens limits, validate input length, and configure timeouts for LLM API calls
func handler(w http.ResponseWriter, r *http.Request) { var req ChatRequest json.NewDecoder(r.Body).Decode(&req) - resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ - Model: "gpt-4", - Messages: []openai.ChatCompletionMessage{{Content: req.Message}}, + + message := req.Message + if len(message) > 2000 { + message = message[:2000] + } + + ctx, cancel := context.WithTimeout(r.Context(), 30*time.Second) + defer cancel() + + resp, _ := client.CreateChatCompletion(ctx, openai.ChatCompletionRequest{ + Model: "gpt-4", + Messages: []openai.ChatCompletionMessage{{Content: message}}, + MaxTokens: 500, }) json.NewEncoder(w).Encode(resp) }
Missing Request Size Limits
MEDIUM
Use http.MaxBytesReader to limit request body size before reading
func handler(w http.ResponseWriter, r *http.Request) { - body, _ := io.ReadAll(r.Body) + r.Body = http.MaxBytesReader(w, r.Body, 10*1024*1024) + body, err := io.ReadAll(r.Body) + if err != nil { + http.Error(w, "Request too large", 413) + return + } process(body) }
Denial of Service via Resource Exhaustion
MEDIUM
Limit goroutines with semaphore, set HTTP timeouts, and validate allocation sizes
func process(items []string) { - for _, item := range items { - go func(i string) { + sem := make(chan struct{}, 100) + for _, item := range items { + sem <- struct{}{} + go func(i string) { + defer func() { <-sem }() expensiveOperation(i) }(item) } }
JavaScript
View all JavaScript details →
LLM Denial of Service
MEDIUM
Set max_tokens limits and validate input length before LLM API calls
- const response = await openai.chat.completions.create({ - model: 'gpt-4', - messages: [{ role: 'user', content: req.body.message }] + const message = req.body.message.substring(0, 2000); + const response = await openai.chat.completions.create({ + model: 'gpt-4', + messages: [{ role: 'user', content: message }], + max_tokens: 500 });
Denial of Service via Unbounded Child Processes
MEDIUM
Configure timeout and maxBuffer for child process execution to prevent resource exhaustion
- const { stdout } = await execPromise(`ping -c 4 ${domain}`); + const { stdout } = await execPromise(`ping -c 4 ${domain}`, { + timeout: 5000, + maxBuffer: 1024 * 100 + });
Kubernetes
View all Kubernetes details →
Missing Resource Limits
MEDIUM
Define CPU and memory resource limits to prevent resource exhaustion and denial of service
apiVersion: v1 kind: Pod spec: containers: - name: app image: nginx:1.25 - ports: - - containerPort: 80 + resources: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "256Mi" + cpu: "500m"
Python
View all Python details →
LLM Denial of Service
MEDIUM
Set max_tokens limits, validate input length, and configure timeouts for LLM API calls
- @app.route('/chat', methods=['POST']) - def chat(): - response = openai.chat.completions.create( - model='gpt-4', - messages=[{'role': 'user', 'content': request.json['message']}] + MAX_INPUT_LENGTH = 2000 + MAX_OUTPUT_TOKENS = 500 + + @app.route('/chat', methods=['POST']) + def chat(): + message = request.json['message'][:MAX_INPUT_LENGTH] + response = openai.chat.completions.create( + model='gpt-4', + messages=[{'role': 'user', 'content': message}], + max_tokens=MAX_OUTPUT_TOKENS, + timeout=30 ) return jsonify(response.choices[0].message.content)
Resource Exhaustion / Denial of Service
MEDIUM
Set size limits on file reads, bound loop iterations, and add timeouts
- from flask import request - - @app.route('/upload', methods=['POST']) - def upload(): - content = request.files['file'].read() + from flask import Flask, request + + app = Flask(__name__) + app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 # 10 MB + + @app.route('/upload', methods=['POST']) + def upload(): + content = request.files['file'].read(10 * 1024 * 1024) return process(content)
3 Detection
3 Detection
Find vulnerabilities in your code
Use Shoulder to scan your codebase for Uncontrolled Resource Consumption patterns. 8 rules.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=400 # Or scan entire project npx @shoulderdev/cli trust .
Detection Rules (8)
🐹
Go
3 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service.
Missing Request Size Limits
MEDIUM
Request body read without size limit using ioutil.ReadAll or io.ReadAll.
Denial of Service via Resource Exhaustion
MEDIUM
Unbounded goroutines, missing timeouts, or unchecked allocations from user input.
🟨
Javascript
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses
NOTE: Rate limiting is covered separately by the Express rate-limiting rule.
See: rules/javascript/projects/express/security/rate-limiting.yaml
Denial of Service via Unbounded Child Processes
MEDIUM
Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion
This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
🔷
Typescript
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
- Unbounded streaming responses
NOTE: Rate limiting is covered separately by the Express rate-limiting rule.
See: rules/javascript/projects/express/security/rate-limiting.yaml
Denial of Service via Unbounded Child Processes
MEDIUM
Detects child process execution (exec, spawn) without proper resource limits.
Without timeout or maxBuffer configuration, these processes can:
- Hang indefinitely, consuming server resources
- Flood memory with unbounded output
- Enable DoS attacks through resource exhaustion
This is especially critical when the command can be influenced by user input
or interacts with external resources (network requests, git operations, etc.).
🐍
Python
2 rules
LLM Denial of Service
MEDIUM
Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.
DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability
This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation
NOTE: Rate limiting is covered separately by framework-specific rate-limiting rules.
Resource Exhaustion / Denial of Service
MEDIUM
Detects operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large files into memory, recursive operations without
depth limits, or missing timeouts. These can lead to memory exhaustion or CPU
starvation (DoS).
4 Warning Signs
4 Warning Signs
What to watch for in code reviews
These patterns indicate potential Uncontrolled Resource Consumption vulnerabilities. Look for these during code reviews and security audits.
LLM API call lacks resource limits
go-llm-denial-of-service
AI/LLM API calls lacking token limits or input validation that could enable denial of service
go-llm-denial-of-service
Unbounded resource usage can lead to DoS
go-resource-exhaustion
AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks
javascript-llm-denial-of-service
child process execution (exec, spawn) without proper resource limits
javascript-unbounded-exec-dos
Container is missing resource limits.
kubernetes-missing-resource-limits
containers missing resource limits
kubernetes-missing-resource-limits
operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large f
python-resource-exhaustion
Scan your codebase for Uncontrolled Resource Consumption
Shoulder CLI finds vulnerable patterns across your entire codebase.