## Security Flaw in Syslog/Loki/Webhook Outputs: No Per-Event Size Cap Risks 100+ GiB Memory Pin
A critical security vulnerability exists in the `Write()` entry points for syslog, loki, and webhook outputs, where there is no per-event size cap. This design flaw allows a single buggy or malicious consumer to pass an event as large as 10 MiB, which can then fill the system's async channel buffer. With a default 10,000-slot buffer, this single oversized event can pin approximately 100 GiB of memory before backpressure mechanisms are triggered, creating a severe denial-of-service risk.

The issue was flagged by a security-reviewer agent during a pre-coding review of a separate batching feature (PR #599). The core problem is pre-existing: the current per-event write implementations accept arbitrary event sizes without limitation. The introduction of batching does not create this vulnerability but significantly amplifies its blast radius. In a batched system, a single oversized event can force a batch to flush alone, while the preceding batch may still be held in memory, concentrating the memory pressure and failure impact.

This oversight represents a systemic risk for any deployment using these outputs, as it exposes a straightforward vector for resource exhaustion. The lack of a `MaxEventBytes` enforcement at the point of entry leaves systems vulnerable to both accidental bugs and targeted attacks, where an adversary could deliberately craft large payloads to destabilize services. The fix requires implementing a hard size limit at the `Write()` function to bound memory allocation per event, a fundamental security control that is currently missing.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, memory, denial-of-service, logging
- **Credibility**: unverified
- **Published**: 2026-04-21 11:22:52
- **ID**: 74160
- **URL**: https://whisperx.ai/en/intel/74160