Skip to content

fix(security/medium): update dependency body-parser to v2.2.1 [security]#15

Closed
renovate-sh-app[bot] wants to merge 1 commit into
mainfrom
renovate/npm-body-parser-vulnerability
Closed

fix(security/medium): update dependency body-parser to v2.2.1 [security]#15
renovate-sh-app[bot] wants to merge 1 commit into
mainfrom
renovate/npm-body-parser-vulnerability

Conversation

@renovate-sh-app
Copy link
Copy Markdown

@renovate-sh-app renovate-sh-app Bot commented Nov 27, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
body-parser 2.2.02.2.1 age confidence

body-parser is vulnerable to denial of service when url encoding is used

CVE-2025-13466 / GHSA-wqch-xfxh-vrr4

More information

Details

Impact

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.

Patches

This issue is addressed in version 2.2.1.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

expressjs/body-parser (body-parser)

v2.2.1

Compare Source

=========================

  • Security fix for GHSA-wqch-xfxh-vrr4
  • deps:
    • type-is@^2.0.1
    • iconv-lite@^0.7.0
      • Handle split surrogate pairs when encoding UTF-8
      • Avoid false positives in encodingExists by using prototype-less objects
    • raw-body@^3.0.1
    • debug@^4.4.3

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app Bot requested a review from bbrandys as a code owner November 27, 2025 09:10
@renovate-sh-app renovate-sh-app Bot requested a review from a team as a code owner November 27, 2025 09:10
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-body-parser-vulnerability branch from bf79158 to db74842 Compare December 11, 2025 18:22
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-body-parser-vulnerability branch from db74842 to 43c082d Compare January 8, 2026 18:17
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency body-parser to v2.2.1 [security] chore(deps): update dependency body-parser to v2.2.1 [security] - autoclosed Jan 12, 2026
@renovate-sh-app renovate-sh-app Bot closed this Jan 12, 2026
@renovate-sh-app renovate-sh-app Bot deleted the renovate/npm-body-parser-vulnerability branch January 12, 2026 09:07
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency body-parser to v2.2.1 [security] - autoclosed chore(deps): update dependency body-parser to v2.2.1 [security] Jan 12, 2026
@renovate-sh-app renovate-sh-app Bot reopened this Jan 12, 2026
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 43c082d to 62a4bf5 Compare January 12, 2026 12:11
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 62a4bf5 to 308b745 Compare February 10, 2026 16:14
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-body-parser-vulnerability branch from 308b745 to 0268308 Compare March 31, 2026 16:17
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency body-parser to v2.2.1 [security] chore(deps): update dependency body-parser to v2.2.1 [security] - autoclosed May 14, 2026
@renovate-sh-app renovate-sh-app Bot closed this May 14, 2026
@renovate-sh-app
fix(security/medium): update dependency body-parser to v2.2.1 [security]
10fffae 
| datasource | package     | from  | to    |
| ---------- | ----------- | ----- | ----- |
| npm        | body-parser | 2.2.0 | 2.2.1 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app Bot changed the title chore(deps): update dependency body-parser to v2.2.1 [security] - autoclosed fix(security/medium): update dependency body-parser to v2.2.1 [security] May 15, 2026
@renovate-sh-app renovate-sh-app Bot reopened this May 15, 2026
@renovate-sh-app renovate-sh-app Bot force-pushed the renovate/npm-body-parser-vulnerability branch 2 times, most recently from 0268308 to 10fffae Compare May 15, 2026 16:14
@phlope phlope closed this May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bbrandys bbrandys Awaiting requested review from bbrandys

Assignees

No one assigned

Labels

automerge-security-update severity:MEDIUM update-patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phlope