CVE-2025-13466 — Uncontrolled Resource Consumption in Node-body-parser

CWE-400 — Uncontrolled Resource Consumption6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 87.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Node-body-parser Body-parser

Timeline

PublishedNov 24

Latest updateNov 25

Description

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Affected Packages3 packages

▶debiandebian/node-body-parser< node-body-parser 2.2.1+~1.19.6-1 (forky)

▶npmbody-parser/body-parser2.2.0 — 2.2.1

▶CVEListV5body-parser/body-parser2.2.0

🔴Vulnerability Details

OSV

body-parser is vulnerable to denial of service when url encoding is used↗2025-11-25

▶

GHSA

body-parser is vulnerable to denial of service when url encoding is used↗2025-11-25

▶

OSV

CVE-2025-13466: body-parser 2↗2025-11-24

▶

📋Vendor Advisories

Red Hat

body-parser: body-parser denial of service↗2025-11-24

▶

Debian

CVE-2025-13466: node-body-parser - body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling...↗2025

▶