CVE-2025-13466

Severity CVSS v4.0:

MEDIUM

Type:

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

Publication date:

24/11/2025

Last modified:

25/11/2025

Description

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.<br /> This issue is addressed in version 2.2.1.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y CVSS v4.0 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): Low
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): Low
Automatable (AU): Yes
Exploit Maturity (E): POC

Base Score 4.0

5.50

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4