Headline

GHSA-qgc4-8p88-4w7m: Servify-express rate limit issue

Impact

The Express server uses express.json() without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.

Patches

This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example: app.use(express.json({ limit: "100kb" }));

Workarounds

Users can mitigate the issue without upgrading by:

Adding a limit option to the JSON parser
Implementing rate limiting at the application or reverse-proxy level
Rejecting unusually large requests before parsing
Using a reverse proxy (such as NGINX) to enforce maximum request body sizes

3 hours ago

ghsa

Open in Source

#dos #nodejs #js #git #nginx

GitHub Advisory Database
GitHub Reviewed
CVE-2025-67731

Servify-express rate limit issue

High severity GitHub Reviewed Published Dec 11, 2025 in Aarondoran/servify-express • Updated Dec 11, 2025

Package

npm servify-express (npm)

Impact

The Express server uses express.json() without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.

Patches

This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example:
app.use(express.json({ limit: “100kb” }));

Workarounds

Users can mitigate the issue without upgrading by: