CVE-2025-13466

Description

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.

PUBLISHED Reserved 2025-11-20 | Published 2025-11-24 | Updated 2025-11-24 | Assigner openjs

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Credits

Phillip Barta finder

Sebastian Beltran remediation reviewer

Ulises Gascón remediation reviewer

Chris de Almeida remediation reviewer

Jean Burellier remediation reviewer

References

github.com/...parser/security/advisories/GHSA-wqch-xfxh-vrr4 vendor-advisory

cve.org (CVE-2025-13466)

nvd.nist.gov (CVE-2025-13466)

Download JSON