Le 26/11/2025 à 08:40, Salvatore Bonaccorso a écrit :
Source: node-body-parser
Version: 2.2.0+~1.19.6-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-body-parser.
CVE-2025-13466[0]:
| body-parser 2.2.0 is vulnerable to denial of service due to
| inefficient handling of URL-encoded bodies with very large numbers
| of parameters. An attacker can send payloads containing thousands of
| parameters within the default 100KB request size limit, causing
| elevated CPU and memory usage. This can lead to service slowdown or
| partial outages under sustained malicious traffic. This issue is
| addressed in version 2.2.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13466
https://www.cve.org/CVERecord?id=CVE-2025-13466
[1]
https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
[2]
https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63
Please adjust the affected versions in the BTS as needed.
Hi,
it looks that this affects only version 2.2.0. Looking at version
1.20.3, patch looks already applied.
Vulnerability looks introduced by commit
https://github.com/expressjs/body-parser/commit/f27f2ced
Best regards,
Xavier
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
