Source: node-body-parser Version: 2.2.0+~1.19.6-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-body-parser. CVE-2025-13466[0]: | body-parser 2.2.0 is vulnerable to denial of service due to | inefficient handling of URL-encoded bodies with very large numbers | of parameters. An attacker can send payloads containing thousands of | parameters within the default 100KB request size limit, causing | elevated CPU and memory usage. This can lead to service slowdown or | partial outages under sustained malicious traffic. This issue is | addressed in version 2.2.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-13466 https://www.cve.org/CVERecord?id=CVE-2025-13466 [1] https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 [2] https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
