PT-2026-56769 · Npm · Body-Parser
Bjohansebas
+2
·
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-12590
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
body-parser versions prior to 1.20.6
body-parser versions prior to 2.3.0
Description
When the parser is configured with an invalid
limit option value, such as an unparseable string or NaN (Not-a-Number), the request body size check is silently skipped. This occurs because the internal parsing mechanism returns null, causing applications that rely on the limit parameter as their primary safeguard to accept arbitrarily large payloads. This can lead to excessive memory and CPU consumption, resulting in a denial of service.Recommendations
Update body-parser to version 1.20.6 or later.
Update body-parser to version 2.3.0 or later.
Validate the
limit value before passing it to the parser by ensuring the value is not null or a non-finite number at startup.Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Body-Parser