CVE-2024-45590
body-parser vulnerable to denial of service when url encoding is enabled
In short
body-parser, a Node.js library that processes incoming request data, can be exploited to crash or slow down a server when URL encoding is enabled. An attacker can send specially crafted requests that consume excessive server resources, making the service unavailable to legitimate users.
Technical detail
body-parser versions prior to 1.20.3 are vulnerable to denial of service via malicious URL-encoded payloads. The vulnerability is triggered when the URL encoding parser processes crafted input, consuming excessive CPU or memory resources. Attackers can exploit this by sending multiple specially crafted requests without authentication, causing service degradation or unavailability.
Summary generated and translated by AI from the official description.
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
expressjs · body-parserWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →