CVE-2025-67731
Denial of Service via Unrestricted JSON Body in Servify Express
Publication date: 2025-12-12
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| servify-express.js | servify_express | to 1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Servify Express Node.js package before version 1.2, where the Express server uses express.json() middleware without a size limit on incoming JSON request bodies. This allows attackers to send extremely large JSON payloads, which can cause excessive memory usage, degrade performance, or crash the process, leading to a Denial of Service (DoS). The issue is due to configuration rather than a flaw in Express itself.
How can this vulnerability impact me? :
If your application uses Servify Express before version 1.2 and accepts JSON requests without size limits, attackers can exploit this by sending very large JSON payloads. This can cause your server to consume excessive memory, slow down, or crash, resulting in a Denial of Service (DoS) that makes your application unavailable to legitimate users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your application uses Servify Express versions prior to 1.2 with express.json() middleware configured without a size limit. You can inspect your package.json or package-lock.json for the Servify Express version. Additionally, monitor for unusually large JSON request bodies or signs of excessive memory usage or crashes in your logs. Specific commands include: 1) Checking package version: `npm list servify-express` or `cat package.json | grep servify-express` 2) Searching for express.json() usage without limits in your codebase: `grep -r "express.json()" ./` 3) Monitoring logs for large request bodies or crashes using system or application logs. Network-level detection can involve capturing HTTP traffic and inspecting request sizes with tools like tcpdump or Wireshark, but no specific commands are provided in the context.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade Servify Express to version 1.2 or later where the issue is fixed. 2) Add a size limit option to the express.json() middleware to restrict the maximum allowed JSON request body size. 3) Implement rate limiting at the application or reverse-proxy level to prevent abuse. 4) Reject unusually large requests before parsing them. 5) Use a reverse proxy such as NGINX to enforce maximum request body sizes. These steps help prevent excessive memory usage and potential denial of service.