๐Ÿ” CVE Alert

CVE-2026-12590

LOW 3.7

body-parser vulnerable to denial of service when invalid limit value silently disables size enforcement

CVSS Score
3.7
EPSS Score
0.0%
EPSS Percentile
0th

Impact: In body-parser versions prior to 1.20.6 (1.x line) and 2.3.0 (2.x line), when the parser is configured with an invalid limit option value such as an unparseable string or NaN, bytes.parse returns null and the request body size check is silently skipped. Applications that rely on limit as their primary safeguard against oversized request bodies will accept arbitrarily large payloads, leading to excessive memory and CPU usage and denial of service. Patches: This issue is fixed in body-parser 1.20.6 and 2.3.0. After the fix, invalid limit values throw a clear error at parser construction time instead of silently disabling enforcement, while null and undefined continue to fall back to the default limit of 100kb. Workarounds: Validate the limit value before passing it to body-parser. For example, parse the value at startup and reject any configuration where the result is null or a non-finite number.

CWE CWE-770
Vendor body-parser
Product body-parser
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for body-parser body-parser

Be the first to know when new low vulnerabilities affecting body-parser body-parser are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

body-parser / body-parser
0 < 1.20.6 2.0.0 < 2.3.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/expressjs/body-parser/security/advisories/GHSA-v422-hmwv-36x6 cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

๐Ÿ” Phillip9587 UlisesGascon bjohansebas