VDB

CVE-2025-13466

CVE-2025-13466 PUBLISHED CVSS 5.5 MEDIUM

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.

EPSS 0.03% · 10.7th percentile

Risk Scores

CVSS 4.0
5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P/AU:Y
EPSS Score
0.03%
10.7th percentile

Affected Products

VendorProductVersions
body-parserbody-parser2.2.0
npmbody-parser2.2.0

Timeline

  • Nov 20, 2025 CVE ID Reserved
  • Nov 24, 2025 Coalition ESS Score
  • Nov 24, 2025 CVE Published
  • Nov 24, 2025 PoC Published
  • Nov 24, 2025 PoC Published
  • Nov 24, 2025 CVE Updated
  • Nov 25, 2025 EPSS Score
  • Nov 30, 2025 EPSS Score
  • Dec 1, 2025 Coalition ESS Score
  • Dec 4, 2025 EPSS Score
  • Dec 9, 2025 EPSS Score
  • Dec 14, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›