CVE-2025-67731

Description

### Impact The Express server uses `express.json()` without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. ### Patches This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example: `app.use(express.json({ limit: "100kb" }));` ### Workarounds Users can mitigate the issue without upgrading by: - Adding a `limit` option to the JSON parser - Implementing rate limiting at the application or reverse-proxy level - Rejecting unusually large requests before parsing - Using a reverse proxy (such as NGINX) to enforce maximum request body sizes

How to fix CVE-2025-67731

To remediate CVE-2025-67731, upgrade the affected package to a fixed version below.

• —upgrade to 1.2 or later

Is CVE-2025-67731 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-67731
• PATCHgithub.com/Aarondoran/servify-express
• WEBgithub.com/Aarondoran/servify-express/commit/197d848e5450bf85b0dd19ef8c2aa4ba96192300
• WEBgithub.com/Aarondoran/servify-express/commit/8dff7f56504b356278d849734ef2050e5cd23b61