CodeQL Flags High-Severity Rate Limiting Gap in Juice Shop's server.ts

A scheduled security scan has uncovered a rate limiting vulnerability in the Juice Shop application, with CodeQL assigning a CVSS score of 7.5—placing it in the high-severity range. The finding centers on a route handler in `server.ts` at line 251 that performs file system access without implementing rate limiting controls, potentially exposing the application to denial-of-service conditions or resource exhaustion attacks.

The automated scan, executed on March 8, 2026, triggered the `js/missing-rate-limiting` rule, which identifies endpoints that handle sensitive operations—such as file system reads or writes—without throttling mechanisms. Without rate limiting, an attacker could theoretically flood the vulnerable endpoint with requests, overwhelming server resources or accelerating brute-force attempts against file system paths. The warning-level finding requires review of the specific code path and implementation of appropriate rate limiting middleware or controls to mitigate the identified risk.

This vulnerability highlights a common security gap in web application development: endpoints that perform resource-intensive operations often escape rate limiting during initial implementation. For applications like Juice Shop, which is widely used as a security training platform, the discovery serves as both a patch opportunity and a demonstration point for how missing throttling controls can escalate into exploitable weaknesses. Maintainers should evaluate whether additional endpoints share similar exposure and consider a broader audit of rate limiting coverage across the codebase.