Playwright & Serve-Handler Exposed: Missing Rate Limiting Opens Critical DoS Vulnerability

A critical Denial of Service (DoS) vulnerability has been identified in core server utilities, exposing applications using Playwright and serve-handler to potential resource exhaustion attacks. The flaw stems from multiple endpoint handlers that perform expensive file system operations without any rate limiting, allowing unauthenticated remote attackers to send unlimited concurrent requests. This can overwhelm server resources, leading to service unavailability for legitimate users.

The vulnerability, rated Medium (6.5/10) and classified under CWE-770, is detectable via SAST tools. The specific attack vector is straightforward: malicious actors can target endpoints that trigger resource-intensive file operations. Key affected files include `node_modules/playwright-core/lib/server/utils/httpServer.js` (lines 118, 139), `node_modules/playwright-core/lib/server/trace/viewer/traceViewer.js` (lines 69-91), and `node_modules/serve-handler/src/index.js` (lines 548-576). The root cause is the absence of rate limiting middleware for these critical paths.

This exposure places any application or service relying on these popular Node.js packages at immediate risk. The lack of authentication requirements for the attack significantly lowers the barrier to exploitation. Developers and security teams must urgently review their implementations, apply patches, or implement custom rate limiting to mitigate the risk of service disruption and maintain application integrity.