Vulnerability Description
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before parsing, or using a reverse proxy (such as NGINX) to enforce maximum request body sizes.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Servify-Express.Js | Servify Express | < 1.2 |
Related Weaknesses (CWE)
References
- https://github.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734efPatch
- https://github.com/Aarondoran/servify-express/releases/tag/V1.2ProductRelease Notes
- https://github.com/Aarondoran/servify-express/security/advisories/GHSA-qgc4-8p88MitigationVendor Advisory
FAQ
What is CVE-2025-67731?
CVE-2025-67731 is a vulnerability with a CVSS score of 7.5 (HIGH). Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers...
How severe is CVE-2025-67731?
CVE-2025-67731 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-67731?
Check the references section above for vendor advisories and patch information. Affected products include: Servify-Express.Js Servify Express.