Security: No request body size limits — memory exhaustion vector #73

New issue

Open

opened 2026-05-11 13:48:48 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:48 +00:00

Owner

Severity: Critical

Location

All HTTP route handlers across api_openrouter/ and api_openrpc/

Finding

No Content-Length validation or request body size limits are configured anywhere in the router stack. A single oversized request can exhaust memory:

Chat completions accept arbitrary message arrays
Embedding endpoints accept unbounded input text
TTS/STT endpoints accept unbounded audio data
The entire body is loaded into memory before processing

Attack Scenario

Send a single 10GB POST request to any endpoint
Server attempts to load entire body into memory
OOM kills the broker or causes swap thrashing
Cascading failure across all connected services

Recommendation

Add tower_http::limit::RequestBodyLimitLayer with sensible defaults (e.g., 64MB)
Per-endpoint limits: chat (32MB), embeddings (10MB), audio (100MB)
Reject oversized requests with 413 Payload Too Large

## Severity: Critical ## Location All HTTP route handlers across `api_openrouter/` and `api_openrpc/` ## Finding No `Content-Length` validation or request body size limits are configured anywhere in the router stack. A single oversized request can exhaust memory: - Chat completions accept arbitrary message arrays - Embedding endpoints accept unbounded input text - TTS/STT endpoints accept unbounded audio data - The entire body is loaded into memory before processing ## Attack Scenario - Send a single 10GB POST request to any endpoint - Server attempts to load entire body into memory - OOM kills the broker or causes swap thrashing - Cascading failure across all connected services ## Recommendation - Add `tower_http::limit::RequestBodyLimitLayer` with sensible defaults (e.g., 64MB) - Per-endpoint limits: chat (32MB), embeddings (10MB), audio (100MB) - Reject oversized requests with 413 Payload Too Large