CVE-2025-13466 MEDIUM

CVE-2025-13466: body-parser vulnerable to denial of service when url encoding is used

Vendor Body-Parser
Product body-parser
Weakness CWE-400
Published November 24, 2025
Last update November 24, 2025

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y

What the vulnerability does

01Description

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.

Key dates

02Disclosure timeline

November 24, 2025 CVE published
November 24, 2025 Record updated