Your message dated Sat, 29 Nov 2025 17:12:53 +0000
with message-id <[email protected]>
and subject line Bug#1121417: fixed in node-body-parser 2.2.1+~1.19.6-1
has caused the Debian Bug report #1121417,
regarding node-body-parser: CVE-2025-13466
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1121417: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1121417
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-body-parser
Version: 2.2.0+~1.19.6-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-body-parser.
CVE-2025-13466[0]:
| body-parser 2.2.0 is vulnerable to denial of service due to
| inefficient handling of URL-encoded bodies with very large numbers
| of parameters. An attacker can send payloads containing thousands of
| parameters within the default 100KB request size limit, causing
| elevated CPU and memory usage. This can lead to service slowdown or
| partial outages under sustained malicious traffic. This issue is
| addressed in version 2.2.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-13466
https://www.cve.org/CVERecord?id=CVE-2025-13466
[1]
https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
[2]
https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-body-parser
Source-Version: 2.2.1+~1.19.6-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-body-parser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-body-parser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 29 Nov 2025 16:45:29 +0100
Source: node-body-parser
Architecture: source
Version: 2.2.1+~1.19.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1121417
Changes:
node-body-parser (2.2.1+~1.19.6-1) unstable; urgency=medium
.
* Team upload
* Drop "Rules-Requires-Root: no"
* New upstream version 2.2.1+~1.19.6 (Closes: #1121417, CVE-2025-1346)
Checksums-Sha1:
9bf32c18255548b8360386446f342a1360f946a4 2747
node-body-parser_2.2.1+~1.19.6-1.dsc
1859bebb8fd7dac9918a45d54c1971ab8b5af474 2945
node-body-parser_2.2.1+~1.19.6.orig-types-body-parser.tar.gz
6655689c348b65c116da644cf15fcc8d1738e016 28849
node-body-parser_2.2.1+~1.19.6.orig.tar.gz
a4a40fc3272c5ae6ff31a0c18bff55cfda563018 3892
node-body-parser_2.2.1+~1.19.6-1.debian.tar.xz
Checksums-Sha256:
ccc93aab07d12489a2cfa4825f7fc04999d2eb8e856c7842f8e8e5e9ed1eedff 2747
node-body-parser_2.2.1+~1.19.6-1.dsc
640c729c03c2527aca389e1e134d342a5ccee6b394b700e297141f580fe89f8a 2945
node-body-parser_2.2.1+~1.19.6.orig-types-body-parser.tar.gz
148cc1b42075bcf23a76ec596570245b2dad44c951637913048479fff2b0c209 28849
node-body-parser_2.2.1+~1.19.6.orig.tar.gz
be554b03a5e6624f7790129bc769480463cb2ff55f960de94c0bde73ed992a49 3892
node-body-parser_2.2.1+~1.19.6-1.debian.tar.xz
Files:
861fb2a8ffcbade488f9a07d8a7f43b5 2747 javascript optional
node-body-parser_2.2.1+~1.19.6-1.dsc
ecea4b2ead546efcfaa132b3bdf8c290 2945 javascript optional
node-body-parser_2.2.1+~1.19.6.orig-types-body-parser.tar.gz
77c5f31eaba50b5910ed49cde95f5d1b 28849 javascript optional
node-body-parser_2.2.1+~1.19.6.orig.tar.gz
ae9aba85d3086c04b89135b57652d298 3892 javascript optional
node-body-parser_2.2.1+~1.19.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmkrGr0ACgkQ9tdMp8mZ
7ulqXA//Q3M4gh+qXdWAku0XCw3oQHoBslpHl1eWgxVcQX8OsnKWKkooxwBWbmO2
2EBTUER7vr15f/6w3Q57EFzgeuAnp+XWobFE7uCHIPOPIcW/1+MP4Q+W1qZGzugt
eNPkkc+oP42K64xQcvfagdKlixEUu1sXt+4hsJ6q/ieeLFd1tRjSGjL1M+lX3x7o
2hHC4E3LS2FqJZPrMyIJRymIsZrXvQfOvM9W0O3rdxtGbBZM+n13ZIKo/Il26B30
o2jD18/VxLTjA5duwnJQP2u4bELeXb7F3SEpvF8qsghWcg1ULycwnm9gXcK/hkYw
LQlCUHl2fi5RLKtLVi/wYQieWE5xNmQapnWTqbHFO1bK2pYJ+HYrONo5ZIWdJFZY
pT0Qawmp7iF4+cnuy019sWLo9Ddj+xCbHBGw5qIW68vicvxwPM/LKwx/KyUTUAwO
dM6kLkldEhcpujq/uJf1+ojGAQf6qP4MT7ArZO56z251TrAQxsKNVO0ULeU14Rbm
fYYFJ0BNCrxZm2DKIfGRswkTr8amRjNEnTb7i1wsW+LYziN0A0UYLAmKFgz1LLkr
Pm3lVFhCCxhWdObbFtaKxUrCsZcf8aFQ29KAFTSXKCAFwBwI4FwxlH8jLt6QATFW
C0c142OMKXvDH1kf0/Q4JIRnuRBpgOG9G7wrVRc7P375xyNscjQ=
=UYtR
-----END PGP SIGNATURE-----
pgpwggavFTZdW.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
