chore(deps): update dependency body-parser to v2.2.1 [security]#63
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency body-parser to v2.2.1 [security]#63renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
December 3, 2025 17:33
7f253c7 to
35360f7
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
December 31, 2025 14:01
35360f7 to
2684966
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
January 8, 2026 20:07
2684966 to
14c77c9
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
February 2, 2026 17:01
14c77c9 to
e4562ee
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
2 times, most recently
from
February 17, 2026 19:48
dd2bd68 to
10b609b
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
March 5, 2026 14:42
10b609b to
aa02d30
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
2 times, most recently
from
March 30, 2026 22:13
aa02d30 to
7f71593
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
April 8, 2026 16:57
7f71593 to
e4715a3
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
April 29, 2026 16:39
e4715a3 to
28c848c
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
3 times, most recently
from
May 18, 2026 12:50
ab9747b to
52688c6
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
May 28, 2026 20:56
52688c6 to
f3db403
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
June 11, 2026 17:45
f3db403 to
5c48835
Compare
renovate
Bot
force-pushed
the
renovate/npm-body-parser-vulnerability
branch
from
July 12, 2026 11:02
5c48835 to
621e959
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.2.0→2.2.1body-parser is vulnerable to denial of service when url encoding is used
CVE-2025-13466 / GHSA-wqch-xfxh-vrr4
More information
Details
Impact
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
Patches
This issue is addressed in version 2.2.1.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:PReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
expressjs/body-parser (body-parser)
v2.2.1Compare Source
=========================
encodingExistsby using prototype-less objectsConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.