What is the severity of CVE-2025-67731?

CVE-2025-67731 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-67731?

No known public exploits are currently available for CVE-2025-67731.

Is there a patch available for CVE-2025-67731?

Yes, patches are available for CVE-2025-67731. Check the vendor advisories for update instructions.

CVE-2025-67731 - CVE Details, Severity, and Analysis

Q: What is CVE-2025-67731?

### Impact The Express server uses `express.json()` without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. ### Patches This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example: `app.use(express.json({ limit: "100kb" }));` ### Workarounds Users can mitigate the issue without upgrading by: - Adding a `limit` option to the JSON parser - Implementing rate limiting at the application or reverse-proxy level - Rejecting unusually large requests before parsing - Using a reverse proxy (such as NGINX) to enforce maximum request body sizes

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

The Express server uses express.json() without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.

Patches

This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example: app.use(express.json({ limit: "100kb" }));

Workarounds

Users can mitigate the issue without upgrading by:

Adding a limit option to the JSON parser
Implementing rate limiting at the application or reverse-proxy level
Rejecting unusually large requests before parsing
Using a reverse proxy (such as NGINX) to enforce maximum request body sizes

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com Github.com