F-2026-0013·resource-exhaustion

Session `saveUninitialized: true` Creates Sessions for Every Request

Fixedpentestbackendapigithub.com/bloom-art/api
TL;DR

Express session was configured with `saveUninitialized: true`, persisting an empty Redis session entry for every webhook, health probe, and unauthenticated request. Fixed by removing the entire session stack.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

typescript
saveUninitialized: true,  // L68, creates and persists a new Redis session for EVERY incoming request

This creates empty session entries in Redis for webhook traffic, health probes, and unauthenticated requests.

03Section · Impact

Impact

Unbounded growth of empty session entries in Redis, increasing storage cost and potentially degrading lookup performance.

04Section · Recommendation

Recommendation

Set saveUninitialized: false.

05Section · Resolution

Resolution

Fixed alongside F-2026-0006 in PR #3706, the entire session stack was deleted, so no records are written to Redis at all.

Status
Fixed
ZEALYNX SECURITY · published 2026-04-29
F-2026-0013

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx