body-parser vulnerable to denial of service when url encoding is...

5.5 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y

Description

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
This issue is addressed in version 2.2.1.

Basic Information

ID CVE-2025-13466

Source openjs

Published Nov 24, 2025 at 18:29

Modified Nov 24, 2025 at 18:57

Affected Product

Vendor body-parser

Product body-parser

Version 2.2.0

Affected Versions body-parser body-parser 2.2.0

CWE Classification

CWE-400

References

github.com /expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4

{
    "lastseen": "",
    "description": "body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.\nThis issue is addressed in version 2.2.1.",
    "published": "2025-11-24T18:29:36.725Z",
    "modified": "2025-11-24T18:57:00.939Z",
    "type": "cve",
    "title": "body-parser vulnerable to denial of service when url encoding is used",
    "source": "openjs",
    "references": "https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4",
    "id": "CVE-2025-13466",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "body-parser body-parser 2.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.5,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "body-parser",
    "version": "2.2.0",
    "vendor": "body-parser",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

body-parser vulnerable to denial of service when url encoding is used_CVE-2025-13466