File tree Expand file tree Collapse file tree 1 file changed +6
-0
lines changed
Expand file tree Collapse file tree 1 file changed +6
-0
lines changed Original file line number Diff line number Diff line change @@ -112,8 +112,14 @@ does not trust is considered a vulnerability:
112112* Memory leaks qualify as vulnerabilities when all of the following criteria are met:
113113 * The API is being correctly used
114114 * The API doesn't have a warning against its usage in a production environment
115+ * The API is public and documented
115116 * The API is on stable (2.0) status
116117 * The memory leak is significant, causing a DoS fast or in a user-uncontrolled space (for instance, on HTTP parsing)
118+ * The memory leak is directly exploitable by an untrusted source without requiring application mistakes
119+ * The leak cannot be reasonably mitigated through standard operational practices (like process recycling)
120+ * The leak occurs deterministically under normal usage patterns rather than edge cases
121+ * The leak occurs at a rate that would cause practical resource exhaustion within X requests or Y hours under
122+ typical workloads
117123
118124If Node.js loads configuration files or runs code by default (without a
119125specific request from the user), and this is not documented, it is considered a
You can’t perform that action at this time.
0 commit comments