Use of Blocking Code in Single-threaded, Non-blocking Context
This vulnerability occurs when an application designed to be single-threaded and non-blocking, for performance and scalability, inadvertently executes code that can block the entire process. If an attacker can trigger this blocking code, it can cause the application to freeze, leading to a denial of service.
In modern architectures like Node.js, Python asyncio, or Vert.x, a single-threaded event loop handles many operations efficiently by avoiding the overhead of traditional multi-threading. The core principle is that all tasks must yield control quickly. If any piece of code—such as a complex computation, a synchronous file operation, or a network call that waits indefinitely—blocks this thread, the entire event loop stalls. This halts all other connections and requests, crippling the application's responsiveness. Attackers can exploit this by directly invoking slow operations or manipulating environmental factors (like network timeouts or file system permissions) to force a block. The result is a classic denial of service: the application appears to hang or become unresponsive. To prevent this, developers must audit their code in non-blocking contexts, replacing synchronous calls with their asynchronous counterparts and offloading expensive tasks to worker threads or separate services.
Impact: DoS: Resource Consumption (CPU)
An unexpected call to blocking code can trigger an infinite loop, or a large loop that causes the software to pause and wait indefinitely.