compufox
commented
5 years ago omg you're going to make me paginate the merps aren't you?
(even if not that's def what I'm gonna do lol)
thanks for bringing this to my attention I didn't even think about it :3
I was playing around with Merp as a Service and realized if I punched in a really big number, it'd take a while to resolve. (I apologize for that, by the way! ^^") I then spun up my own instance of the merp API and realized... well, merps can take up a lot of memory and CPU power.
By using the amount endpoint and specifying a very large number of merps, the program will begin to take up a ton of RAM and an entire CPU core to come up with more and more merps. (Also, the attacker can also cancel their request and the operation will still continue.)
I believe this should be solved rather simply by setting a maximum number of merps that can be requested. I don't think anyone needs enough merps to crash a system.