Security Audit Flags Inconsistent Payload Size Controls Across API Routes, Raising DoS Risk

A security investigation has uncovered a systemic gap in request validation across multiple API endpoints. A recently removed duplicate route stub for `POST /wallets` was found to lack `payloadSizeLimiter` middleware, prompting a broader audit that revealed inconsistent application of payload size controls across the codebase. The review identified several endpoints—including `POST /auth/token`, `POST /auth/refresh`, and `POST /auth` (SEP-10)—that accept request bodies without enforcing size restrictions. Admin routes were also flagged in the preliminary findings.

The vulnerability allows malicious actors to submit extremely large request payloads to unprotected endpoints, potentially exhausting server memory and CPU resources. Since body parsing occurs before size validation in affected routes, even authenticated endpoints remain exposed. A successful attack could crash the Node.js process hosting the service, disrupting operations and creating availability risks.

The incident has triggered acceptance criteria requiring a comprehensive audit of all routes that accept request bodies. Teams must ensure `payloadSizeLimiter` is applied uniformly across the API surface, with enforcement occurring before body parsing to prevent resource exhaustion. The discovery highlights a common but often overlooked attack surface in Node.js applications where input validation assumptions can be exploited under load.