CVE-2025-13466

NameCVE-2025-13466
Descriptionbody-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-body-parser (PTS)bullseye1.19.0-2vulnerable
bookworm1.20.1+~1.19.2-1vulnerable
trixie1.20.3+~1.19.5-3vulnerable
forky, sid2.2.0+~1.19.6-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-body-parsersource(unstable)(unfixed)

Notes

[trixie] - node-body-parser <no-dsa> (Minor issue)
[bookworm] - node-body-parser <no-dsa> (Minor issue)
https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
Fixed by: https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63 (v2.2.1)
Search for package or bug name: Reporting problems