Overview
CVE-2025-13466 describes a denial of service (DoS) vulnerability affecting body-parser version 2.2.0. This vulnerability arises from the inefficient handling of URL-encoded bodies containing a very large number of parameters. An attacker can exploit this by sending payloads with thousands of parameters within the default request size limit, leading to elevated CPU and memory usage. This can result in service slowdown or even partial outages under sustained malicious traffic.
The vulnerability has been addressed in body-parser version 2.2.1.
Published: 2025-11-24T19:15:46.857
Technical Details
The body-parser library is a popular middleware for Node.js Express applications used to parse incoming request bodies. In version 2.2.0, the parsing logic for URL-encoded data is inefficient when dealing with requests containing an extremely high number of parameters. Specifically, the library’s algorithm to process these parameters can become computationally expensive, leading to significant CPU and memory consumption. The attacker doesn’t need to bypass any request size limitations to trigger the vulnerability; they just need to stay within the default 100KB limit while packing the request with a massive amount of URL parameters.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score is currently N/A. While the CVSS score is not yet available, the potential for denial of service indicates that this is a significant issue that should be addressed promptly. The lack of a specific CVSS score should not diminish the importance of applying the mitigation.
Possible Impact
A successful exploit of CVE-2025-13466 can result in:
- Service Slowdown: Increased CPU and memory usage can degrade the performance of the affected application, leading to slower response times for legitimate users.
- Partial Outages: Under sustained malicious traffic, the server may become overloaded and unable to handle incoming requests, resulting in a partial or complete outage.
- Resource Exhaustion: Prolonged attacks can exhaust server resources, potentially impacting other applications or services running on the same infrastructure.
Mitigation and Patch Steps
The recommended mitigation for CVE-2025-13466 is to upgrade body-parser to version 2.2.1 or later. This version contains a fix that addresses the inefficient parameter handling. You can update the library using npm or yarn:
npm install body-parser@latestyarn add body-parser@latestAfter updating the package, redeploy your application to ensure the fix is implemented. Additionally, consider implementing rate limiting and request validation as preventative measures to mitigate future similar attacks.
