Bug 2498472 (CVE-2026-12590) - CVE-2026-12590 body-parser: body-parser: Denial of Service via invalid limit option
Summary: CVE-2026-12590 body-parser: body-parser: Denial of Service via invalid limit ...
Keywords:
Status: NEW
Alias: CVE-2026-12590
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2498722 2498723 2498724 2498725 2498726 2498727 2498728 2498729 2498730 2498731 2498732 2498733 2498734 2498735 2498736 2498737 2498738
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-09 11:01 UTC by OSIDB Bzimport
Modified: 2026-07-09 20:29 UTC (History)
133 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-09 11:01:42 UTC
Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as their primary safeguard against oversized request bodies will accept arbitrarily large payloads, leading to excessive memory and CPU usage and denial of service. Patches: This issue is fixed in body-parser 1.20.6 and 2.3.0. After the fix, invalid limit values throw a clear error at parser construction time instead of silently disabling enforcement, while null and undefined continue to fall back to the default limit of 100kb. Workarounds: Validate the limit value before passing it to body-parser. For example, parse the value at startup and reject any configuration where the result is null or a non-finite number.


Note You need to log in before you can comment on or make changes to this bug.