CVE-2025-13466
📋 TL;DR
CVE-2025-13466 is a denial-of-service vulnerability in body-parser 2.2.0 where inefficient handling of URL-encoded requests with many parameters allows attackers to cause high CPU/memory usage within normal request size limits. This affects any Node.js application using the vulnerable body-parser middleware to parse URL-encoded request bodies. The vulnerability can lead to service degradation or partial outages under sustained attack.
💻 Affected Systems
- body-parser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially affecting all users of the vulnerable application.
Likely Case
Service slowdowns and degraded performance during attack periods, impacting user experience and application responsiveness.
If Mitigated
Minimal impact with proper rate limiting, request validation, and updated middleware versions.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with many URL-encoded parameters, which is trivial to automate.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.1
Vendor Advisory: https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4
Restart Required: Yes
Instructions:
1. Update package.json to specify body-parser version 2.2.1 or higher. 2. Run 'npm update body-parser' or 'yarn upgrade body-parser'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Limit request parameters
allConfigure body-parser to limit the number of parameters accepted in URL-encoded bodies
app.use(bodyParser.urlencoded({ parameterLimit: 1000 }))
Reduce request size limit
allLower the default request body size limit below 100KB
app.use(bodyParser.urlencoded({ limit: '50kb' }))
🧯 If You Can't Patch
- Implement rate limiting at the application or network level to prevent sustained attacks
- Deploy WAF rules to detect and block requests with excessive URL-encoded parameters
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list body-parser' to see if version 2.2.0 is installedCheck Version:
npm list body-parser | grep body-parserVerify Fix Applied:
After updating, verify 'npm list body-parser' shows version 2.2.1 or higher📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU/memory usage spikes
- Increased request processing times for URL-encoded POST requests
- Multiple requests with similar parameter patterns
Network Indicators:
- HTTP POST requests with Content-Type: application/x-www-form-urlencoded containing thousands of parameters
- Sustained high-volume traffic to endpoints using body-parser
SIEM Query:
source="application_logs" AND (message="high cpu" OR message="slow request") AND uri_path="*" AND http_method="POST" AND content_type="application/x-www-form-urlencoded"