Impact
The Express server uses express.json() without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.
Patches
This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example:
app.use(express.json({ limit: "100kb" }));
Workarounds
Users can mitigate the issue without upgrading by:
- Adding a
limit option to the JSON parser
- Implementing rate limiting at the application or reverse-proxy level
- Rejecting unusually large requests before parsing
- Using a reverse proxy (such as NGINX) to enforce maximum request body sizes
References
- Express documentation for body-parsing configuration
- CWE-400: Uncontrolled Resource Consumption
Impact
The Express server uses
express.json()without a size limit, which can allow attackers to send extremely large request bodies. This may lead to excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected.Patches
This issue is not a flaw in Express itself but in configuration. Users should set a request-size limit when enabling the JSON body parser. For example:
app.use(express.json({ limit: "100kb" }));Workarounds
Users can mitigate the issue without upgrading by:
limitoption to the JSON parserReferences