CVE-2025-67731
HIGH
GHSA-qgc4-8p88-4w7m
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.
Analysis
Servify Express, a Node.js package for starting Express servers, contains a denial of service vulnerability caused by the absence of size limits on JSON request bodies parsed by express.json(). Attackers can exploit this by sending extremely large payloads to cause memory exhaustion and crash the application process. With an EPSS score of 0.07% (21st percentile), active exploitation remains low-probability, though a patch is available and the vulnerability affects any internet-facing application using affected versions.
Technical Context
The vulnerability exists in Servify Express (cpe:2.3:a:servify-express.js:servify_express:*:*:*:*:*:node.js:*:*), a Node.js package that wraps Express.js server initialization. The root cause maps to CWE-400 (Uncontrolled Resource Consumption) where the express.json() middleware is configured without the 'limit' parameter. This middleware parses incoming JSON request bodies and loads them entirely into memory. Without size restrictions, an attacker can send arbitrarily large JSON payloads that consume available memory until the Node.js process exceeds heap limits and crashes. This represents a configuration issue rather than a flaw in Express itself, as the framework provides mechanisms to set body size limits that were not implemented by default in Servify Express.
Affected Products
Servify Express versions prior to 1.2 are affected by this vulnerability. The affected product is identified via CPE as cpe:2.3:a:servify-express.js:servify_express:*:*:*:*:*:node.js:*:*, confirming the scope is limited to this specific Node.js package. The vendor has published a security advisory at https://github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7m confirming the affected version range. Any application incorporating this package without additional body size protections or reverse proxy safeguards is vulnerable to denial of service attacks through unbounded JSON payload submission.
Remediation
Upgrade Servify Express to version 1.2 or later, as documented in the release at https://github.com/Aarondoran/servify-express/releases/tag/V1.2 and patched in commit https://github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61. If immediate patching is not feasible, implement the following workarounds: add a limit option to express.json() such as app.use(express.json({limit: '100kb'})), deploy rate limiting at the application level or via reverse proxy (NGINX, HAProxy), configure maximum request body size enforcement at the reverse proxy layer, or implement pre-parsing validation to reject requests with Content-Length headers exceeding acceptable thresholds. Full mitigation details are available in the GitHub security advisory at https://github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7m.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today