Echo JS 0.11.0

Given the ability to effectively DDoS a server, I'd say it's indeed a threat.

Even in some validation libraries, you'll find some really poor evaluations.  For example, doing input validation while typing on an email input field can get pretty nasty, pretty quickly in a couple of the validation frameworks I've used.  It was faster/easier to use a simpler validation first, before the more broad validation... (splitting on '@', checking for 2 parts, length and verifying the parts separately), even limiting the length before/after the '@' in practical terms.  Of course, this was only a client-side issue... but it's still an issue.