CVE-2025-67731 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Aarondoran servify-express package, a Node.js utility designed to start an Express server and log the port. Versions prior to 1.2 use express.json() middleware without specifying a maximum request body size, allowing attackers to send arbitrarily large JSON payloads. Since express.json() parses incoming JSON requests into memory, excessively large payloads can exhaust server memory and CPU resources, causing degraded performance or crashes, effectively resulting in a Denial of Service (DoS). This vulnerability is not due to a bug in Express itself but stems from the default configuration of the servify-express package. Any application exposing servify-express servers to untrusted clients without limiting JSON body sizes is vulnerable. The vulnerability has a CVSS 4.0 score of 8.7 (high severity), indicating it is remotely exploitable without authentication or user interaction and can cause significant availability impact. No known exploits are reported in the wild yet. The issue is resolved in servify-express version 1.2 by adding appropriate size limits. Mitigation strategies include configuring express.json() with a 'limit' option to restrict JSON body size, implementing application-level or reverse proxy rate limiting, rejecting large requests before JSON parsing, and deploying reverse proxies such as NGINX to enforce maximum request body sizes.

For European organizations, this vulnerability poses a significant risk to the availability of web services built using servify-express versions prior to 1.2. An attacker can trigger a Denial of Service by sending oversized JSON payloads, potentially causing server crashes or severe performance degradation. This can disrupt business operations, degrade customer experience, and lead to financial losses, especially for organizations relying on Node.js-based web applications for critical services. Industries such as finance, e-commerce, healthcare, and public services in Europe that deploy servify-express without proper configuration are particularly at risk. Additionally, prolonged downtime or service interruptions could impact regulatory compliance, especially under GDPR and other data protection laws requiring service availability and integrity. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of opportunistic attacks, making it a pressing concern for European enterprises with internet-facing Node.js applications.

European organizations should immediately upgrade servify-express to version 1.2 or later to apply the official fix. If upgrading is not immediately feasible, they should configure the express.json() middleware with a strict 'limit' parameter to cap the maximum JSON request body size (e.g., '100kb' or less depending on application needs). Implement application-level rate limiting to restrict the number of requests per client IP to prevent flooding. Deploy reverse proxies such as NGINX or HAProxy in front of the Node.js application to enforce maximum request body sizes and filter out oversized requests before they reach the application. Additionally, monitor server resource usage and logs for unusual spikes in request sizes or memory consumption. Conduct regular security audits of Node.js middleware configurations to ensure no unbounded parsers are exposed to untrusted clients. Finally, educate development teams on secure middleware configuration and the risks of default settings that may lead to resource exhaustion.