Turnstile causing 100% CPU and memory increase when reloading pages

We’ve been trying out Turnstile on a site that we’re developing. We’ve tried both explicit and implicit modes of loading turnstile, and both seem to trigger this issue. We are currently using Firefox 113.0.1.

The approximate STR are:

  • Load a page with Turnstile and verify it loads ok.
  • Reload the page several times.

Expected Results

=> Page always reloads correctly and the verification is shown.

Actual Results

=> At some stage the verification stops loading, the content process starts using 100% CPU and its memory increases at a fairly fast rate (e.g. a GB after a few mins). Generally at this stage the only way to recover is to kill the process.

This seems to happen more frequently if I reload the page whilst the verification is still loading from the previous page reload.

It is also worse if I defer loading the script and use explicit mode.

Anyone have any ideas?

Part of what makes turnstile useful is its proof of work ( Proof of work - Wikipedia ).
This gives the protection some built in resilience against bots such that even if they do pass the challenge as legitimate browsers, they are still forced to execute some computational expensive operations to pass the captcha.

This is a feature unless there is a bug in the code that somehow spikes the usage more than what’s expected.

Whats your website url?

Sorry, maybe my issue wasn’t clear enough.

When the process gets into a bad state, it stays there, at 100% CPU and continuously increasing memory. It does NOT recover.

Visiting another page without Turnstile and then visiting another page with Turnstile does NOT fix the 100% CPU & continuous memory increase. Turnstile might work again on that newly loaded page, but that content process is stuck (I’ve just tried it again, that process is now using 15GB and increasing by about 1GB a minute). Somehow, I don’t think that is right.

The only way to get out of it it is to kill the process.

The site is a test site at the moment so I’d prefer not to post it, but you can reproduce with the “Simple Cloudflare Turnstile” plugin installed and simply reloading the login page.

How many times do you reload the page? I just tried this using our Turnstile implementation and couldn’t get it to fail. I reloaded the page 20 times in a row without any issues. This was in Firefox 113.0.1 on Windows 11.

Typically I only have to reload a few times. I think it helps if you reload whilst the Turnstile is still processing, rather than waiting for it to complete.

So, in our implementation, the “Managed” Turnstile widget is hidden (via CSS) so I have no idea when it finishes processing. I simply reloaded the page where the widget is embedded 20 times in a row and didn’t experience any CPU “hit” at all. In our implementation, if the Turnstile challenges fail, we’ll display the widget so the user can check the box to be verified as a human.