Node.js CVE-2025-67731
HIGH
GHSA-qgc4-8p88-4w7m
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.
AnalysisAI
Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by the absence of size limits on JSON request bodies parsed by express.json(). Attackers can exploit this by sending extremely large payloads to cause memory exhaustion and crash the application process. With an EPSS score of 0.07% (21st percentile), active exploitation remains low-probability, though a patch is available and the vulnerability affects any internet-facing application using affected versions.
Technical ContextAI
The vulnerability exists in Servify Express (cpe:2.3:a:servify-express.js:servify_express:*:*:*:*:*:node.js:*:*), a Node.js package that wraps Express.js server initialization. The root cause maps to CWE-400 (Uncontrolled Resource Consumption) where the express.json() middleware is configured without the 'limit' parameter. This middleware parses incoming JSON request bodies and loads them entirely into memory. Without size restrictions, an attacker can send arbitrarily large JSON payloads that consume available memory until the Node.js process exceeds heap limits and crashes. This represents a configuration issue rather than a flaw in Express itself, as the framework provides mechanisms to set body size limits that were not implemented by default in Servify Express.
RemediationAI
Upgrade Servify Express to version 1.2 or later, as documented in the release at https://github.com/Aarondoran/servify-express/releases/tag/V1.2 and patched in commit https://github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61. If immediate patching is not feasible, implement the following workarounds: add a limit option to express.json() such as app.use(express.json({limit: '100kb'})), deploy rate limiting at the application level or via reverse proxy (NGINX, HAProxy), configure maximum request body size enforcement at the reverse proxy layer, or implement pre-parsing validation to reject requests with Content-Length headers exceeding acceptable thresholds. Full mitigation details are available in the GitHub security advisory at https://github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7m.
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Share
External POC / Exploit Code
Leaving vuln.today