Bug 2416818 (CVE-2025-13466) - CVE-2025-13466 body-parser: body-parser denial of service
Summary: CVE-2025-13466 body-parser: body-parser denial of service
Keywords:
Status: NEW
Alias: CVE-2025-13466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2418493 2418494 2418496 2418497 2418498 2418499 2418500 2418501 2418503 2418504 2418505 2418506 2418507 2418508 2418510 2418511 2418512 2418513 2418514 2418515 2418495 2418502 2418509 2418516
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-11-24 19:01 UTC by OSIDB Bzimport
Modified: 2025-12-02 21:18 UTC (History)
159 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-11-24 19:01:13 UTC 
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
This issue is addressed in version 2.2.1.
Note You need to log in before you can comment on or make changes to this bug.