Skip to main content

body-parser CVE-2026-12590

| EUVDEUVD-2026-42577 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-09 openjs
5.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (openjs) PRIMARY
LOW
qualitative
NVD
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.7 LOW

AC:H reflects the required misconfiguration precondition (invalid limit value); A:L captures bounded DoS impact; no confidentiality or integrity impact applies.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (openjs).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Severity Changed
Jul 10, 2026 - 02:52 NVD
LOW MEDIUM
CVSS changed
Jul 10, 2026 - 02:52 NVD
3.7 (LOW) 5.9 (MEDIUM)
Patch available
Jul 09, 2026 - 12:16 EUVD
Analysis Generated
Jul 09, 2026 - 12:11 vuln.today

DescriptionNVD

Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as their primary safeguard against oversized request bodies will accept arbitrarily large payloads, leading to excessive memory and CPU usage and denial of service. Patches: This issue is fixed in body-parser 1.20.6 and 2.3.0. After the fix, invalid limit values throw a clear error at parser construction time instead of silently disabling enforcement, while null and undefined continue to fall back to the default limit of 100kb. Workarounds: Validate the limit value before passing it to body-parser. For example, parse the value at startup and reject any configuration where the result is null or a non-finite number.

AnalysisAI

Denial of service in body-parser npm middleware allows unauthenticated remote attackers to submit arbitrarily large HTTP request bodies when the package is misconfigured with an invalid limit option value. Affected versions span both the 1.x line (prior to 1.20.6) and 2.x line (prior to 2.3.0). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Express app accepting large POST bodies
Delivery
Confirm body-parser limit is misconfigured (invalid string/NaN)
Exploit
Send continuous stream of oversized HTTP request bodies
Execution
Force server to allocate unbounded memory for each payload
Persist
Exhaust heap memory and CPU
Impact
Trigger denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application has configured body-parser with an invalid `limit` option value - specifically, a string that cannot be parsed into a valid byte count (e.g., an unresolved environment variable, a placeholder token, an empty string) or a non-finite number such as NaN. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.7 score with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L appropriately captures the conditional nature of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Node.js/Express application that sources its body-parser `limit` value from an environment variable set to an invalid or unresolved string. The attacker sends a stream of HTTP POST requests with multi-gigabyte JSON or URL-encoded bodies. …
Remediation Upgrade body-parser to version 1.20.6 (for 1.x consumers) or 2.3.0 (for 2.x consumers), as confirmed by the OpenJS Foundation advisory at https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy