Skip to content

Security: Webhook request body is buffered without size limit (DoS risk)#1300

Open
tuanaiseo wants to merge 1 commit intoyagop:masterfrom
tuanaiseo:contribai/fix/security/webhook-request-body-is-buffered-without
Open

Security: Webhook request body is buffered without size limit (DoS risk)#1300
tuanaiseo wants to merge 1 commit intoyagop:masterfrom
tuanaiseo:contribai/fix/security/webhook-request-body-is-buffered-without

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 7, 2026

Problem

Incoming webhook bodies are fully buffered with bl before parsing JSON, with no explicit maximum size. An attacker can send very large POST bodies to exhaust memory and degrade or crash the process.

Severity: high
File: src/telegramWebHook.js

Solution

Enforce a strict request size limit before buffering (for example via Content-Length checks and stream byte counting), reject oversized payloads with 413, and set server/request timeouts.

Changes

  • src/telegramWebHook.js (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security)(telegramWebHook.js): webhook request body is buffered w…
236ce31 
…ithout size limi

Incoming webhook bodies are fully buffered with `bl` before parsing JSON, with no explicit maximum size. An attacker can send very large POST bodies to exhaust memory and degrade or crash the process.

Affected files: telegramWebHook.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo