Security · 1h ago
Unlimited URL Decoding Opens Servers to CPU Exhaustion Attacks
A developer warns that looping urldecode() until a string stops changing can let attackers craft deeply nested encoded payloads that force excessive CPU work. For example, a single quote character encoded seven times requires seven decode passes. The fix is to cap decode passes, preventing resource exhaustion under sustained attack.
Meridian48 take
This is a practical, often-overlooked vulnerability that can degrade server performance for small teams, but the risk is limited unless attackers can sustain high request volumes.
Read the full reporting
The Decode Bomb Problem — Why Unlimited URL Decoding Can Be Its Own Vulnerability →
DEV Community
url-decodingcpu-exhaustion