VDB
CVE-2025-13466
CVE-2025-13466
PUBLISHED
CVSS 5.5 MEDIUM
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.
EPSS 0.03% · 10.7th percentile
Risk Scores
CVSS 4.0
5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y
EPSS Score
0.03%
10.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| body-parser | body-parser | 2.2.0 |
| npm | body-parser | 2.2.0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-13466 (circl-sighting)
- CIRCL seen: CVE-2025-13466 (circl-sighting)
- https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 (circl)
Timeline
- Nov 20, 2025 CVE ID Reserved
- Nov 24, 2025 Coalition ESS Score
- Nov 24, 2025 CVE Published
- Nov 24, 2025 PoC Published
- Nov 24, 2025 PoC Published
- Nov 24, 2025 CVE Updated
- Nov 25, 2025 EPSS Score
- Nov 30, 2025 EPSS Score
- Dec 1, 2025 Coalition ESS Score
- Dec 4, 2025 EPSS Score
- Dec 9, 2025 EPSS Score
- Dec 14, 2025 EPSS Score
References
- https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-13466 advisory
- https://github.com/expressjs/body-parser/commit/b204886a6744b0b6d297cd0e849d75de836f3b63 url
- https://github.com/expressjs/body-parser package
- https://github.com/expressjs/body-parser/releases/tag/v2.2.1 url