[Vulnerability] nodejs/node: Resource Exhaustion / Denial of Service

[github-actions]

Potential Security Vulnerability Detected

Repository: nodejs/node
Commit: 35d3bc8
Author: Mert Can Altin
Date: 2026-02-27T19:00:28Z

Commit Message

sqlite: add limits property to DatabaseSync

PR-URL: https://github.com/nodejs/node/pull/61298
Fixes: https://github.com/nodejs/node/issues/61268
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

Pull Request

PR: #61298 - sqlite: add limits property to DatabaseSync
Labels: c++, semver-minor, lib / src, author ready, needs-ci, commit-queue-squash, sqlite

Description:
Fixes: #61268

add limits property to databaseSync

Analysis

Vulnerability Type: Resource Exhaustion / Denial of Service
Severity: Medium

Description

The SQLite DatabaseSync implementation lacked resource limits, allowing attackers to cause denial of service by crafting SQL queries that consume excessive memory or CPU resources. The patch adds configurable limits for various SQLite operations to prevent resource exhaustion attacks.

Affected Code

new DatabaseSync(':memory:');
// No limits applied - vulnerable to resource exhaustion
sqlite3_open_v2(location.c_str(), &connection_, flags, nullptr);

Proof of Concept

const db = new DatabaseSync(':memory:');
// Create a deeply nested expression to exhaust memory
const maliciousQuery = 'SELECT ' + '('.repeat(100000) + '1' + ')'.repeat(100000);
db.exec(maliciousQuery); // Causes excessive memory usage/crash

---

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-02-27T23:38:13.332Z