Asymmetric denial of service In servify-express
Description
Servify-express rate limit issue
Impact
The Express server uses express.json() without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.
Patches
This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example:
app.use(express.json({ limit: "100kb" }));
Workarounds
Users can mitigate the issue without upgrading by:
Adding a limit option to the JSON parser
Implementing rate limiting at the application or reverse-proxy level
Rejecting unusually large requests before parsing
Using a reverse proxy (such as NGINX) to enforce maximum request body sizes
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 1.2 |
Aliases
References