← Back to Intelligence Center
Application / Availability Vulnerability

Denial of Service

Denial of Service occurs when an application can be forced into excessive CPU, memory, I/O, database, or event-loop consumption, reducing availability for legitimate users.

CategoryAvailability weakness
Common impactService degradation / outage
Common surfaceParsing / uploads / expensive routes
Risk modelUnbounded work factor

What is this vulnerability?

Denial of Service is a vulnerability class where a system performs disproportionate work in response to a request or input. The root issue is usually missing limits, expensive parsing, unbounded loops, uncontrolled concurrency, or resource-intensive operations exposed to untrusted users.

How it works

In web and JavaScript services, DoS often appears when an endpoint accepts large input, deeply nested structures, expensive regular expressions, slow decompression, uncontrolled uploads, or repeated work without rate limits. Even without data theft, the attacker can degrade availability by forcing the service to spend more resources than expected.

Minimal vulnerable example

This simplified Node.js example shows a route that accepts an unbounded array and performs expensive synchronous work for every item. A large request can block the event loop and delay other users.

Waiting to run demo…
1. Large request is submitted
2. Server accepts unbounded input
3. Expensive loop starts
4. Event loop becomes saturated
5. Legitimate users experience outage
Service state
Healthy — normal request latency.
DoS trace will appear here.

Potential impact

Service slowdown or outage caused by CPU, memory, network, database, or event-loop exhaustion.
Request queue buildup, increased latency, and failed health checks in production environments.
Cascading failures when saturated services block workers, connection pools, or downstream dependencies.
Operational cost increase when autoscaling reacts to attacker-controlled workload amplification.

Mitigation

Apply strict size, depth, complexity, timeout, and concurrency limits to untrusted input.
Move expensive work to bounded background queues with cancellation and backpressure.
Avoid synchronous CPU-heavy operations on the request path in Node.js services.
Use rate limiting, circuit breakers, request budgets, and per-user quotas.
Monitor event-loop delay, heap usage, CPU saturation, queue depth, and error rates.
Need private analysis for your codebase? Request Denial of Service reachability review and availability risk mapping from FikreSekhel Research.