CVE-2025-67731
Unknown Unknown - Not Provided
Denial of Service via Unrestricted JSON Body in Servify Express

Publication date: 2025-12-12

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67731
EUVD
EUVD-2025-202768
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
servify-express.js servify_express to 1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Servify Express Node.js package before version 1.2, where the Express server uses express.json() middleware without a size limit on incoming JSON request bodies. This allows attackers to send extremely large JSON payloads, which can cause excessive memory usage, degrade performance, or crash the process, leading to a Denial of Service (DoS). The issue is due to configuration rather than a flaw in Express itself.

Impact Analysis

If your application uses Servify Express before version 1.2 and accepts JSON requests without size limits, attackers can exploit this by sending very large JSON payloads. This can cause your server to consume excessive memory, slow down, or crash, resulting in a Denial of Service (DoS) that makes your application unavailable to legitimate users.

Detection Guidance

Detection involves checking if your application uses Servify Express versions prior to 1.2 with express.json() middleware configured without a size limit. You can inspect your package.json or package-lock.json for the Servify Express version. Additionally, monitor for unusually large JSON request bodies or signs of excessive memory usage or crashes in your logs. Specific commands include: 1) Checking package version: `npm list servify-express` or `cat package.json | grep servify-express` 2) Searching for express.json() usage without limits in your codebase: `grep -r "express.json()" ./` 3) Monitoring logs for large request bodies or crashes using system or application logs. Network-level detection can involve capturing HTTP traffic and inspecting request sizes with tools like tcpdump or Wireshark, but no specific commands are provided in the context.

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade Servify Express to version 1.2 or later where the issue is fixed. 2) Add a size limit option to the express.json() middleware to restrict the maximum allowed JSON request body size. 3) Implement rate limiting at the application or reverse-proxy level to prevent abuse. 4) Reject unusually large requests before parsing them. 5) Use a reverse proxy such as NGINX to enforce maximum request body sizes. These steps help prevent excessive memory usage and potential denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67731. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart