## Express Middleware Vulnerability Exposes API to Uncontrolled Resource Consumption via Unbounded Body Parsing
A medium-severity security vulnerability has been identified in the application's Express body parser middleware configuration. The issue, classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption), stems from the middleware relying on default size limits without explicit conservative configuration in `server/src/app.ts` at line 61. This oversight leaves the API endpoint susceptible to resource exhaustion attacks through specially crafted payloads.

The vulnerability manifests through two primary attack vectors. The first involves JSON compression bombs—deeply nested JSON structures that inflate during parsing, causing CPU spikes. The second, more insidious attack uses repeated large payloads just under default limits, potentially triggering memory consumption spikes that could degrade service availability. Both scenarios exploit the absence of hard caps on request body sizes, allowing an attacker to repeatedly stress parsing infrastructure without triggering built-in safeguards.

Security researchers have demonstrated proof-of-concept exploits targeting similar misconfigurations, showing how relatively small requests can trigger disproportionate memory allocation during the JSON.parse phase. The recommended remediation involves implementing explicit, conservative size limits on the body parser middleware configuration. Organizations running affected Express instances should audit their middleware setup, enforce strict body size caps appropriate to their use cases, and implement rate limiting as an additional defensive layer. While no active exploitation has been confirmed in this instance, the low complexity of the attack and availability of standard mitigations make this a priority patch for production deployments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: express, body-parser, CWE-770, CWE-400, resource-exhaustion
- **Credibility**: unverified
- **Published**: 2026-05-06 18:31:45
- **ID**: 79863
- **URL**: https://whisperx.ai/en/intel/79863