Medium severityGHSA Advisory· Published Nov 24, 2025· Updated Apr 15, 2026
CVE-2025-13466
CVE-2025-13466
Description
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
body-parsernpm | >= 2.2.0, < 2.2.1 | 2.2.1 |
Affected products
1- Range: >= 2.2.0, < 2.2.1
Patches
1b204886a6744sec: security patch for CVE-2025-13466
1 file changed · +9 −4
lib/types/urlencoded.js+9 −4 modified@@ -127,11 +127,16 @@ function createQueryParser (options) { * * @param {string} body * @param {number} limit + * @return {number|undefined} Returns undefined if limit exceeded * @api private */ - function parameterCount (body, limit) { - var len = body.split('&').length - - return len > limit ? undefined : len - 1 + let count = 0 + let index = -1 + do { + count++ + if (count > limit) return undefined // Early exit if limit exceeded + index = body.indexOf('&', index + 1) + } while (index !== -1) + return count }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-wqch-xfxh-vrr4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-13466ghsaADVISORY
- github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63ghsaWEB
- github.com/expressjs/body-parser/releases/tag/v2.2.1ghsaWEB
- github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4nvdWEB
News mentions
0No linked articles in our index yet.