Hi Xavier, On Sat, Nov 29, 2025 at 05:20:03PM +0100, Xavier wrote: > Le 26/11/2025 à 08:40, Salvatore Bonaccorso a écrit : > > Source: node-body-parser > > Version: 2.2.0+~1.19.6-3 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for node-body-parser. > > > > CVE-2025-13466[0]: > > | body-parser 2.2.0 is vulnerable to denial of service due to > > | inefficient handling of URL-encoded bodies with very large numbers > > | of parameters. An attacker can send payloads containing thousands of > > | parameters within the default 100KB request size limit, causing > > | elevated CPU and memory usage. This can lead to service slowdown or > > | partial outages under sustained malicious traffic. This issue is > > | addressed in version 2.2.1. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-13466 > > https://www.cve.org/CVERecord?id=CVE-2025-13466 > > [1] > > https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 > > [2] > > https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > it looks that this affects only version 2.2.0. Looking at version 1.20.3, > patch looks already applied. > > Vulnerability looks introduced by commit > https://github.com/expressjs/body-parser/commit/f27f2ced
Looks indeed right, I just have updated the tracking information on security-tracker side. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
