PT-2026-56769 · Npm · Body-Parser

Bjohansebas

+2

·

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-12590

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions body-parser versions prior to 1.20.6 body-parser versions prior to 2.3.0
Description When the parser is configured with an invalid limit option value, such as an unparseable string or NaN (Not-a-Number), the request body size check is silently skipped. This occurs because the internal parsing mechanism returns null, causing applications that rely on the limit parameter as their primary safeguard to accept arbitrarily large payloads. This can lead to excessive memory and CPU consumption, resulting in a denial of service.
Recommendations Update body-parser to version 1.20.6 or later. Update body-parser to version 2.3.0 or later. Validate the limit value before passing it to the parser by ensuring the value is not null or a non-finite number at startup.

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12590

Affected Products

Body-Parser