Convex Database API Exposed to DoS via Unvalidated 'limit' Parameter

A critical Denial-of-Service (DoS) vulnerability was discovered in a Convex database function, where a malicious actor could trigger a massive bandwidth spike by submitting an arbitrarily large number to an unvalidated `limit` parameter. The flaw, located in the `questionsLibrary.ts` file, allowed an input like `limit: 999999999` to pass through unchecked, forcing the system to process and return a theoretically unlimited dataset. This represents a severe operational risk, as it could be exploited to exhaust server resources and degrade service for all users.

The specific code vulnerabilities are pinpointed at lines 136 and 241 within the `convex/questionsLibrary.ts` module. The issue was migrated from a backlog, indicating it was a known but unaddressed risk. The proposed fix is straightforward but essential: implementing input validation to enforce safe boundaries. The solution code, `const safeLimit = Math.min(Math.max(args.limit ?? 50, 10), 500);`, caps the parameter between a minimum of 10 and a maximum of 500, with a default of 50.

With an effort estimate of just 15 minutes but an initial risk rating of HIGH, this vulnerability underscores a common yet dangerous oversight in API design. The acceptance criteria mandate that all limit parameters across the codebase must be validated and that tests for edge cases are implemented. Until this fix is deployed, the system remains exposed to a simple yet effective attack vector that could disrupt core database query functionality.