Servify Express does not enforce rate limiting when parsing JSON
Description
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Servify Express <1.2 uses express.json() without a size limit, allowing attackers to cause DoS via oversized request bodies.
Vulnerability
Servify Express is a Node.js package that simplifies starting an Express server. Prior to version 1.2, the package invoked express.json() without specifying a limit option, meaning there was no restriction on the size of incoming JSON request bodies [1][3]. This configuration oversight means the server will attempt to parse arbitrarily large payloads, consuming excessive memory and CPU resources.
Exploitation
An attacker can exploit this by sending HTTP requests with extremely large JSON bodies to any endpoint that uses the default JSON parser. No authentication is required; the attack can be launched from any untrusted client that can reach the server [1]. The lack of built-in rate limiting in the default setup (rate limiting is optional and must be explicitly enabled) further lowers the barrier to a sustained DoS attack [2][4].
Impact
Successful exploitation leads to uncontrolled resource consumption (CWE-400), resulting in degraded server performance, excessive memory usage, or process crashes. This constitutes a Denial of Service (DoS) condition that can render the application unavailable to legitimate users [1][3].
Mitigation
The issue is fixed in version 1.2 of Servify Express [1]. Users should upgrade to the latest version. For those unable to upgrade, workarounds include adding a limit option to express.json() (e.g., { limit: "100kb" }), implementing rate limiting at the application or reverse-proxy level, rejecting large requests before parsing, or using a reverse proxy like NGINX to enforce maximum request body sizes [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
servify-expressnpm | < 1.2 | 1.2 |
Affected products
1- Aarondoran/servify-expressv5Range: < 1.2
Patches
2197d848e5450Merge pull request #4 from Aarondoran/Rate-limiter-security-feature
1 file changed · +10 −4
index.js+10 −4 modified@@ -1,18 +1,24 @@ const express = require("express"); +const rateLimit = require("express-rate-limit"); class StartServer { - static listen(port) { + static listen(port, options = {}) { const app = express(); - // Middleware (optional) + if (options.rateLimit) { + const limiter = rateLimit({ + windowMs: options.rateLimit.windowMs || 60000, + max: options.rateLimit.max || 100 + }); + app.use(limiter); + } + app.use(express.json()); - // Default route (optional) app.get("/", (req, res) => { res.send("Server is running!"); }); - // Start the server and log the default message app.listen(port, () => { console.log(`Server is running on port ${port}`); });
8dff7f56504bEnhance server with optional rate limiting
1 file changed · +10 −4
index.js+10 −4 modified@@ -1,18 +1,24 @@ const express = require("express"); +const rateLimit = require("express-rate-limit"); class StartServer { - static listen(port) { + static listen(port, options = {}) { const app = express(); - // Middleware (optional) + if (options.rateLimit) { + const limiter = rateLimit({ + windowMs: options.rateLimit.windowMs || 60000, + max: options.rateLimit.max || 100 + }); + app.use(limiter); + } + app.use(express.json()); - // Default route (optional) app.get("/", (req, res) => { res.send("Server is running!"); }); - // Start the server and log the default message app.listen(port, () => { console.log(`Server is running on port ${port}`); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qgc4-8p88-4w7mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67731ghsaADVISORY
- github.com/Aarondoran/servify-express/commit/197d848e5450bf85b0dd19ef8c2aa4ba96192300ghsaWEB
- github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61ghsax_refsource_MISCWEB
- github.com/Aarondoran/servify-express/releases/tag/V1.2ghsax_refsource_MISCWEB
- github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88-4w7mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.