require-express-body-parser-limits
**Severity:** � Warning
Require size limits on body parser middleware to prevent DoS attacks
Severity: 🟡 Warning
CWE: CWE-400
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-400 OWASP:A06 CVSS:7.5 | Uncontrolled Resource Consumption (ReDoS) detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A06_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-400 OWASP:A06 CVSS:7.5 |
| Issue Description | Specific vulnerability | Uncontrolled Resource Consumption (ReDoS) detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
This rule detects Express.js body parser middleware without size limits. Without limits, attackers can send extremely large payloads to exhaust server memory and cause Denial of Service.
Related CVE: CVE-2024-45590 - body-parser DoS vulnerability
Examples
❌ Incorrect
// No limit specified - VULNERABLE
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
// Using body-parser without limits - VULNERABLE
app.use(bodyParser.json());✅ Correct
// With size limits - SAFE
app.use(express.json({ limit: '100kb' }));
app.use(express.urlencoded({ extended: true, limit: '100kb' }));
// body-parser with limits - SAFE
app.use(bodyParser.json({ limit: '1mb' }));
app.use(bodyParser.urlencoded({ limit: '1mb', extended: true }));Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow missing limits in test files |
{
"rules": {
"express-security/require-express-body-parser-limits": [
"warn",
{
"allowInTests": true
}
]
}
}Recommended Limits
| Content Type | Recommended Limit |
|---|---|
| JSON API | 100kb - 1mb |
| Form data | 100kb - 500kb |
| File uploads | Use multer with explicit limits |
When Not To Use It
Never disable in production. Always set appropriate request size limits.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Options from Variable
Why: Parser options stored in variables are not analyzed.
// ❌ NOT DETECTED - Options from variable
const jsonOpts = {}; // Missing limit!
app.use(express.json(jsonOpts));Mitigation: Use inline options. Create typed secure defaults.
Spread Configuration
Why: Spread hides actual configuration.
// ❌ NOT DETECTED - Limit may be in spread or not
const base = getParserConfig(); // May not have limit
app.use(express.json({ ...base }));Mitigation: Explicitly set limit. Don't rely on spread configs.
Custom Parser Middleware
Why: Non-standard parser middleware is not checked.
// ❌ NOT DETECTED - Custom parser
import { customParser } from '@company/parsers';
app.use(customParser.json()); // Limits?Mitigation: Apply rule patterns to custom parsers.
Reverse Proxy Limits
Why: Infrastructure-level limits are not visible.
// ❌ NOT DETECTED (correctly) - Nginx handles limits
app.use(express.json()); // Nginx limits request sizeMitigation: Document infrastructure limits. Add code comment.