getAllVersions loads unbounded data into memory. We were able to perform a successful History Tree Attack using an object that has 100 versions in history. Deeply versioned objects (1000+) can cause pm2 threads to run out of memory.
Recommendation: Add pagination to version queries. Limit default response to 100 versions with cursor-based pagination.
getAllVersionsloads unbounded data into memory. We were able to perform a successful History Tree Attack using an object that has 100 versions in history. Deeply versioned objects (1000+) can cause pm2 threads to run out of memory.Recommendation: Add pagination to version queries. Limit default response to 100 versions with cursor-based pagination.