CWE-400 Uncontrolled Resource Consumption
What this means
SiteShadow flagged code where untrusted input can cause excessive CPU, memory, disk, or network usage (unbounded loops, huge payloads, expensive regex, uncontrolled concurrency).
Why it matters
Resource exhaustion can cause denial of service.
- Availability incidents: slowdowns, timeouts, crashes.
- Cost blowups: high cloud bills from abusive traffic or expensive operations.
- Often exploitable without authentication if the endpoint is public.
Safer examples
1) Enforce request and payload limits
Add max request body sizes, max file sizes, and max list lengths (see INPUT01/02).
2) Add timeouts and backpressure
- Timeouts for external calls and expensive operations
- Concurrency limits / queues for expensive jobs
3) Add rate limits and quotas
Use per-IP/per-user throttling and quotas (see RATE01/02).
How SiteShadow detects it (high level)
- Flags missing size limits around parsing, uploads, and untrusted loops.
- Detects expensive patterns (e.g., catastrophic regex risk, uncontrolled fanout) in request-handling contexts.
References
- CWE-400: https://cwe.mitre.org/data/definitions/400.html
---