Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AC:H reflects the required misconfiguration precondition (invalid limit value); A:L captures bounded DoS impact; no confidentiality or integrity impact applies.
Primary rating from Vendor (openjs).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as their primary safeguard against oversized request bodies will accept arbitrarily large payloads, leading to excessive memory and CPU usage and denial of service. Patches: This issue is fixed in body-parser 1.20.6 and 2.3.0. After the fix, invalid limit values throw a clear error at parser construction time instead of silently disabling enforcement, while null and undefined continue to fall back to the default limit of 100kb. Workarounds: Validate the limit value before passing it to body-parser. For example, parse the value at startup and reject any configuration where the result is null or a non-finite number.
AnalysisAI
Denial of service in body-parser npm middleware allows unauthenticated remote attackers to submit arbitrarily large HTTP request bodies when the package is misconfigured with an invalid limit option value. Affected versions span both the 1.x line (prior to 1.20.6) and 2.x line (prior to 2.3.0). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application has configured body-parser with an invalid `limit` option value - specifically, a string that cannot be parsed into a valid byte count (e.g., an unresolved environment variable, a placeholder token, an empty string) or a non-finite number such as NaN. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.7 score with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L appropriately captures the conditional nature of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Node.js/Express application that sources its body-parser `limit` value from an environment variable set to an invalid or unresolved string. The attacker sends a stream of HTTP POST requests with multi-gigabyte JSON or URL-encoded bodies. … |
| Remediation | Upgrade body-parser to version 1.20.6 (for 1.x consumers) or 2.3.0 (for 2.x consumers), as confirmed by the OpenJS Foundation advisory at https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Body Parser
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42577