Will It Vibe logoWill It Vibe?
EXPRESS-020Low severity-4 points

File upload without size limits

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A multer instance is created without a limits option, so uploaded files have no enforced maximum size and a client can exhaust disk or memory.

Why it matters

A multer instance created without a limits option accepts uploaded files of any size. A client can then send a very large file (or many fields) to exhaust disk space, memory, or the request timeout, degrading the service for everyone. Upload endpoints are a common denial-of-service vector precisely because the size is attacker-chosen.

How to fix it

Pass a limits option to multer with a fileSize cap sized to what the feature needs, plus files and fields caps where relevant: multer({ limits: { fileSize: 5 * 1024 * 1024 } }). Handle the resulting LIMIT_FILE_SIZE error to return a clean 413, and validate the file type after upload. Store uploads outside the web root.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks