Request body size limits enforced

ab-000385 · api-security.input-validation.body-size-limit

Severity: mediumactive

Why it matters

Unbounded request bodies are a denial-of-service vector that requires no authentication and minimal sophistication. OWASP API Security Top 10 2023 API4 (Unrestricted Resource Consumption) and CWE-770 (Allocation of Resources Without Limits) both flag missing body size limits as a resource exhaustion risk. Sending a 1 GB JSON payload to an endpoint that reads the full body before rejecting it consumes memory, CPU, and I/O on every request — a single attacker can saturate a server. Node.js HTTP servers buffer the request body before passing it to handlers; without a size limit, that buffer is attacker-controlled. Cloud functions with per-invocation memory limits are particularly vulnerable.

Severity rationale

Medium because oversized payloads can exhaust server memory and CPU per request, enabling denial of service from a single source without authentication.

Remediation

Set body size limits in your HTTP framework's parser configuration. In Next.js App Router, override per-route via route segment config; in Express, pass limit to express.json().

// Next.js App Router — src/app/api/upload/route.ts
export const config = {
  api: { bodyParser: { sizeLimit: '10mb' } }  // override for large-upload routes
}

// Default limit for all other routes — next.config.js
module.exports = {
  experimental: {
    serverActions: { bodySizeLimit: '1mb' }  // sensible default
  }
}

// Express
app.use(express.json({ limit: '1mb' }))
app.use(express.urlencoded({ extended: true, limit: '1mb' }))

Set the default at 1 MB and raise it only for specific routes that legitimately handle larger payloads (file uploads, bulk imports).

Detection

ID: body-size-limit
Severity: medium
What to look for: Enumerate every relevant item. Check JSON or body parser middleware configuration. Verify that a maximum request body size is enforced to prevent DoS attacks from oversized payloads.
Pass criteria: At least 1 of the following conditions is met. A request body size limit is configured (typically 1-10 MB depending on API use case). Requests exceeding the limit are rejected with a 413 Payload Too Large response.
Fail criteria: No body size limit is enforced, or the limit is unreasonably high (>100 MB).
Skip (N/A) when: The API accepts file uploads and legitimate uploads frequently exceed typical limits.
Detail on fail: "No request body size limit configured — large payloads could cause DoS"

Remediation: Configure body size limits in middleware:

app.use(express.json({ limit: '10mb' }))
app.use(express.urlencoded({ limit: '10mb' }))

// Next.js API routes
export const config = {
  api: { bodyParser: { sizeLimit: '10mb' } }
}

External references

cwe · CWE-400 — Uncontrolled Resource Consumption
cwe · CWE-770 — Allocation of Resources Without Limits or Throttling
owasp:2021 · A05 — Security Misconfiguration
owasp:2023 · API4 — Unrestricted Resource Consumption

Taxons

cost-efficiency injection-and-input-trust

History

2026-04-18·v1.0.0·Initial import from api-security·automated