[Pkg-javascript-devel] Bug#1121417: Bug#1121417: node-body-parser: CVE-2025-13466
Xavier
xavier.guimard at gmail.com
Sat Nov 29 16:20:03 GMT 2025
Le 26/11/2025 à 08:40, Salvatore Bonaccorso a écrit :
> Source: node-body-parser
> Version: 2.2.0+~1.19.6-3
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-body-parser.
>
> CVE-2025-13466[0]:
> | body-parser 2.2.0 is vulnerable to denial of service due to
> | inefficient handling of URL-encoded bodies with very large numbers
> | of parameters. An attacker can send payloads containing thousands of
> | parameters within the default 100KB request size limit, causing
> | elevated CPU and memory usage. This can lead to service slowdown or
> | partial outages under sustained malicious traffic. This issue is
> | addressed in version 2.2.1.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-13466
> https://www.cve.org/CVERecord?id=CVE-2025-13466
> [1] https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
> [2] https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63
>
> Please adjust the affected versions in the BTS as needed.
Hi,
it looks that this affects only version 2.2.0. Looking at version
1.20.3, patch looks already applied.
Vulnerability looks introduced by commit
https://github.com/expressjs/body-parser/commit/f27f2ced
Best regards,
Xavier
More information about the Pkg-javascript-devel
mailing list