HIGH: No explicit JSON body size limit on express.json() - default 100KB #74

Closed
opened 2026-05-31 12:03:21 -05:00 by null · 1 comment
Owner

Bug Description

server.js:32 uses app.use(express.json()) without an explicit limit option, defaulting to Expresss 100KB body size limit. While import routes override this (2MB, 10MB), all other routes are capped at 100KB.

This could cause cryptic 413 Payload Too Large errors for legitimate admin operations with extensive data, or any future endpoint that accepts larger payloads.

Affected Files

  • server.js:32

Impact

Unexpected 413 errors on legitimate large payloads with unclear error messages.

Set an explicit limit: app.use(express.json({ limit: 1mb })) or similar, matching the applications expected payload sizes.

## Bug Description server.js:32 uses app.use(express.json()) without an explicit limit option, defaulting to Expresss 100KB body size limit. While import routes override this (2MB, 10MB), all other routes are capped at 100KB. This could cause cryptic 413 Payload Too Large errors for legitimate admin operations with extensive data, or any future endpoint that accepts larger payloads. ## Affected Files - server.js:32 ## Impact Unexpected 413 errors on legitimate large payloads with unclear error messages. ## Recommended Fix Set an explicit limit: app.use(express.json({ limit: 1mb })) or similar, matching the applications expected payload sizes.
null added the
priority:high
backend
bug
labels 2026-05-31 12:03:21 -05:00
Author
Owner

closed v0.34.2.1

closed v0.34.2.1
null closed this issue 2026-05-31 13:23:15 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#74
No description provided.