API4:2023 Unrestricted Resource Consumption

Endpoints that allow callers to consume server CPU, memory, database time, or downstream API quota without bound. Symptoms: missing rate limits, unbounded query results, expensive search-without-pagination, recursive GraphQL queries.

What Vulkro detects

Vulkro flags routes with no rate-limiting middleware visible in the request pipeline, plus pagination-less list endpoints and GraphQL schemas without depth or complexity limits.

Framework-specific guidance

FastAPI

Add slowapi: `from slowapi import Limiter; @limiter.limit("10/minute")`.

Express

`npm i express-rate-limit; app.use(rateLimit({ windowMs: 60_000, max: 30 }))`.

Non-compliant code (examples)

Express — no rate limiter, public POST endpoint

app.post('/api/signup', async (req, res) => {
  await createUser(req.body);  // unbounded; bot can flood it
  res.sendStatus(201);
});

Compliant code (examples)

Express — rate-limit middleware applied

const rateLimit = require('express-rate-limit');
const signupLimiter = rateLimit({ windowMs: 60_000, max: 5 });
app.post('/api/signup', signupLimiter, async (req, res) => {
  await createUser(req.body);
  res.sendStatus(201);
});

See also

• Confidence model - what High, Medium, and Low mean for findings in this category.
• Safety - what Vulkro does and does not access on your machine.

References

• CWE-770
• CWE-400
• OWASP API4:2023

---

This page is generated by vulkro rules export <out-dir> from the catalog in src/rule_docs.rs. Edits made by hand are overwritten on the next regeneration.