November 2025 Security Releases
The Express team has released a new patch version of body-parser addressing a moderate-severity security vulnerability.
Warning
We recommend upgrading to the latest version of body-parser to secure your applications.
The following vulnerabilities have been addressed:
CVE-2025-13466 in Body-parser middleware (Moderate)
body-parser version 2.2.0 is vulnerable to denial of service when url encoding is used
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
Affected versions: 2.2.0
Patched version: >= 2.2.1
For more details, see GHSA-wqch-xfxh-vrr4.
We recommend upgrading to the latest version of body-parser to secure your applications.
Edit this page