CWE-400 Uncontrolled Resource Consumption

Description

Uncontrolled Resource Consumption

Reference: https://cwe.mitre.org/data/definitions/400.html

OWASP Category: A04:2021 – Insecure Design

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: No size limit on upload
@PostMapping("/upload")
public void upload(@RequestParam MultipartFile file) {
    byte[] content = file.getBytes();  // Can exhaust memory
    saveFile(content);
}

// VULNERABLE: Unbounded list growth
List<String> items = new ArrayList<>();
while (scanner.hasNext()) {
    items.add(scanner.next());  // No limit
}

Why it's vulnerable: This pattern is vulnerable to Uncontrolled Resource Consumption

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Enforce limits
private static final long MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
private static final int MAX_ITEMS = 10000;

@PostMapping("/upload")
public void upload(@RequestParam MultipartFile file) {
    if (file.getSize() > MAX_FILE_SIZE) {
        throw new IllegalArgumentException("File too large");
    }
    // Stream to disk instead of memory
    file.transferTo(new File(uploadPath));
}

// With bounded collection
List<String> items = new ArrayList<>();
int count = 0;
while (scanner.hasNext() && count < MAX_ITEMS) {
    items.add(scanner.next());
    count++;
}

Why it's secure: Implements proper protection against Uncontrolled Resource Consumption

---

Detection Pattern

Look for these patterns in your codebase:

# Find unbounded file operations
grep -rn "file.getBytes()\|IOUtils.toByteArray" --include="*.java"

---

Remediation Steps

1. Set maximum limits for uploads, collections, iterations

2. Stream large data instead of loading into memory

3. Configure timeouts for all external operations

4. Use connection pools with max size

---

Key Imports

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-400 vulnerability
Resolve Uncontrolled Resource Consumption issue
Secure this Java code against uncontrolled resource consumption
SAST reports CWE-400

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-400: Resource Exhaustion

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07