N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67731

CVE-2025-67731: Servify-express rate limit issue

Impact

The Express server uses express.json() without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.

Patches

This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example: app.use(express.json({ limit: "100kb" }));

Workarounds

Users can mitigate the issue without upgrading by:

Adding a limit option to the JSON parser
Implementing rate limiting at the application or reverse-proxy level
Rejecting unusually large requests before parsing
Using a reverse proxy (such as NGINX) to enforce maximum request body sizes

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67731

CVE-2025-67731:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
servify-express	npm	<= 1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is caused by the use of express.json() without a size limit, which can lead to a Denial of Service attack. The commit 197d848e5450bf85b0dd19ef8c2aa4ba96192300 modifies the StartServer.listen function in index.js to add rate-limiting capabilities. This function is responsible for setting up the Express server. The line app.use(express.json()); within this function is the source of the vulnerability, as it lacks a limit option to restrict the size of incoming request bodies. While the patch adds a rate-limiter, it does not address the core issue of unlimited body size as recommended in the advisory's description. Therefore, StartServer.listen is identified as the vulnerable function because it contains the insecure configuration.

Vulnerable functions

StartServer.listen

index.js

The function `StartServer.listen` in `index.js` initializes an Express server and uses the `express.json()` middleware without a configured size limit. This allows an attacker to send requests with very large bodies, which can exhaust server memory and lead to a Denial of Service (DoS). The patch associated with the advisory introduces rate-limiting as a mitigation but does not fix the underlying vulnerability of an unlimited request body size, which is the primary issue described.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67731: Servify-express rate limit issue

Impact

Patches

Workarounds

CVE-2025-67731:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2025-67731: Servify-express rate limit issue

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI