MEDIUM Severity Vulnerability: Unbounded Message Sizes in SQLite Database Enable DoS Attack Vector

A MEDIUM severity vulnerability has been identified, stemming from a lack of size limits on user-submitted data fields. This security misconfiguration, classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and OWASP A05:2021, creates a direct path for attackers to execute a Denial-of-Service (DoS) attack. The core risk is that an attacker can submit messages or peer summaries of unbounded size, deliberately filling the underlying SQLite database to exhaust system resources and disrupt service availability.

The flaw resides in the absence of input validation for key text fields. Specifically, the 'message text' and 'peer summary' fields have no enforced maximum character limits. This allows a malicious actor to inject excessively large payloads. The system's SQLite database, without protective constraints, becomes the target, as it can be flooded until storage capacity is consumed or performance is critically degraded.

To remediate this exposure, a fix has been prescribed to implement strict size caps. The acceptance criteria mandate capping message text at 10KB, summary fields at 500 characters, and path-related fields at 4KB. Implementing these limits is critical to throttling resource allocation and closing the DoS vector. Until these caps are enforced, the system remains vulnerable to a low-effort attack that could lead to service interruption and operational instability.