Bug 2498472 (CVE-2026-12590)

Summary: CVE-2026-12590 body-parser: body-parser: Denial of Service via invalid limit option
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, alizardo, anpicker, anthomas, anujha, aruklets, asoldano, ataylor, bbaranow, bbrownin, bmaxwell, bparees, brasmith, bstansbe, cdrage, cmah, cochase, dbosanac, dbruscin, dhanak, dkeler, dkuc, dlofthou, doconnor, dranck, drosa, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, ehelms, ehugonne, fmariani, ggainey, ggrzybek, gmalinko, gparvin, hasun, ibolton, istudens, ivassile, iweiss, janstey, jchui, jfula, jhe, jlanda, jmatthew, jmontleo, jolong, jowilson, jpasqual, jraez, jreimann, juwatts, jwong, jwon, kaycoth, kingland, kshier, ktsao, kvanderr, lball, lchilton, manissin, mbarnett, mcarlett, mdessi, mhulan, mnovotny, mosmerov, mrizzi, mstipich, msvehla, nboldt, ngough, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, orabin, osousa, parichar, pberan, pcattana, pcreech, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rekumar, rexwhite, rhaigner, rhel-process-autobot, rjohnson, rstancel, rstepani, rushinde, sausingh, sdawley, sfeifer, simaishi, slucidi, smallamp, sseago, stcannon, sthirugn, suppawar, syedriko, tasato, tcunning, teagle, thason, thjenkin, tmalecek, ttakamiy, vdosoudi, veshanka, vvoronko, watson-tool-maintainers, xdharmai, yfang, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in body-parser. When the parser is configured with an invalid limit option, such as an unparseable string or a non-numeric value, the request body size check is bypassed. This allows a remote attacker to send arbitrarily large payloads, consuming excessive memory and CPU resources. This can lead to a Denial of Service (DoS) condition, making the application unavailable to legitimate users.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2498722, 2498723, 2498724, 2498725, 2498726, 2498727, 2498728, 2498729, 2498730, 2498731, 2498732, 2498733, 2498735, 2498736, 2498737, 2498734, 2498738    
Bug Blocks:    

Description OSIDB Bzimport 2026-07-09 11:01:42 UTC
Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as their primary safeguard against oversized request bodies will accept arbitrarily large payloads, leading to excessive memory and CPU usage and denial of service. Patches: This issue is fixed in body-parser 1.20.6 and 2.3.0. After the fix, invalid limit values throw a clear error at parser construction time instead of silently disabling enforcement, while null and undefined continue to fall back to the default limit of 100kb. Workarounds: Validate the limit value before passing it to body-parser. For example, parse the value at startup and reject any configuration where the result is null or a non-finite number.