Servify Express does not enforce rate limiting when parsing JSON
Description
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
servify-expressnpm | < 1.2 | 1.2 |
Affected products
2- Aarondoran/servify-expressv5Range: < 1.2
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-qgc4-8p88-4w7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67731ghsaADVISORY
- github.com/Aarondoran/servify-express/commit/197d848e5450bf85b0dd19ef8c2aa4ba96192300ghsaWEB
- github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61ghsax_refsource_MISCWEB
- github.com/Aarondoran/servify-express/releases/tag/V1.2ghsax_refsource_MISCWEB
- github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.