Allocation of Resources Without Limits or Throttling in @evomap/evolver

Q: How to fix?

Upgrade @evomap/evolver to version 1.70.0-beta.5 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-EVOMAPEVOLVER-16432268
published6 May 2026
disclosed5 May 2026
creditoffset

Report a new vulnerability Found a mistake?

Introduced: 5 May 2026

NewCWE-770 (opens in a new tab)

How to fix?

Upgrade @evomap/evolver to version 1.70.0-beta.5 or higher.

Overview

@evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseBody function and the /asset/submit and /mailbox/send routes, which do not enforce limits on request body size or payload content. An attacker can exhaust disk space and cause persistent service outages by repeatedly sending large requests, leading to out-of-memory conditions and crashes on service restart.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting @evomap/evolver package, versions <1.70.0-beta.5

Severity