body-parser-1.18.3.tgz: 6 vulnerabilities (highest severity is: 9.8) [main] #33
Description
📂 Vulnerable Library - body-parser-1.18.3.tgz
Node.js body parsing middleware
Path to dependency file: /package.json
Findings
| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-154062-641864 | 🟣 Critical | 9.8 | N/A | N/A | ee-first-1.1.1.tgz | Transitive | N/A | ❌ | |
| CVE-275296-826791 | 🟣 Critical | 9.8 | N/A | N/A | qs-6.5.2.tgz | Transitive | N/A | ❌ | |
| CVE-587792-470342 | 🟣 Critical | 9.8 | N/A | N/A | on-finished-2.3.0.tgz | Transitive | N/A | ❌ | |
| CVE-2022-24999 | 🔴 High | 7.5 | Not Defined | 1.1% | qs-6.5.2.tgz | Transitive | N/A | ❌ | |
| CVE-2025-15284 | 🔴 High | 7.5 | Not Defined | < 1% | qs-6.5.2.tgz | Transitive | N/A | ❌ | |
| CVE-2025-13466 | 🟠 Medium | 5.8 | Not Defined | < 1% | body-parser-1.18.3.tgz | Direct | N/A | ❌ |
Details
🟣CVE-154062-641864
Vulnerable Library - ee-first-1.1.1.tgz
return the first event in a set of ee/event pairs
Library home page: https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- body-parser-1.18.3.tgz (Root Library)
- on-finished-2.3.0.tgz
- ❌ ee-first-1.1.1.tgz (Vulnerable Library)
- on-finished-2.3.0.tgz
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-154062-641864
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-275296-826791
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- body-parser-1.18.3.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-275296-826791
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟣CVE-587792-470342
Vulnerable Library - on-finished-2.3.0.tgz
Execute a callback when a request closes, finishes, or errors
Library home page: https://registry.npmjs.org/on-finished/-/on-finished-2.3.0.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- body-parser-1.18.3.tgz (Root Library)
- ❌ on-finished-2.3.0.tgz (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-587792-470342
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-24999
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- body-parser-1.18.3.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 26, 2022 12:00 AM
URL: CVE-2022-24999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-15284
Vulnerable Library - qs-6.5.2.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- body-parser-1.18.3.tgz (Root Library)
- ❌ qs-6.5.2.tgz (Vulnerable Library)
Vulnerability Details
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
SummaryThe arrayLimit option in qs does not enforce limits for bracket notation (a[]=1&a[]=2), allowing attackers to cause denial-of-service via memory exhaustion. Applications using arrayLimit for DoS protection are vulnerable.
DetailsThe arrayLimit option only checks limits for indexed notation (a[0]=1&a[1]=2) but completely bypasses it for bracket notation (a[]=1&a[]=2).
Vulnerable code (lib/parse.js:159-162):
if (root === '[]' && options.parseArrays) {
obj = utils.combine([], leaf); // No arrayLimit check
}
Working code (lib/parse.js:175):
else if (index <= options.arrayLimit) { // Limit checked here
obj = [];
obj[index] = leaf;
}
The bracket notation handler at line 159 uses utils.combine([], leaf) without validating against options.arrayLimit, while indexed notation at line 175 checks index <= options.arrayLimit before creating arrays.
PoCTest 1 - Basic bypass:
npm install qs
const qs = require('qs');
const result = qs.parse('a[]=1&a[]=2&a[]=3&a[]=4&a[]=5&a[]=6', { arrayLimit: 5 });
console.log(result.a.length); // Output: 6 (should be max 5)
Test 2 - DoS demonstration:
const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length); // Output: 10000 (should be max 100)
Configuration:
- arrayLimit: 5 (test 1) or arrayLimit: 100 (test 2)
- Use bracket notation: a[]=value (not indexed a[0]=value)
ImpactDenial of Service via memory exhaustion. Affects applications using qs.parse() with user-controlled input and arrayLimit for protection.
Attack scenario: - Attacker sends HTTP request: GET /api/search?filters[]=x&filters[]=x&...&filters[]=x (100,000+ times)
- Application parses with qs.parse(query, { arrayLimit: 100 })
- qs ignores limit, parses all 100,000 elements into array
- Server memory exhausted → application crashes or becomes unresponsive
- Service unavailable for all users
Real-world impact: - Single malicious request can crash server
- No authentication required
- Easy to automate and scale
- Affects any endpoint parsing query strings with bracket notation
Publish Date: Dec 29, 2025 10:56 PM
URL: CVE-2025-15284
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.5
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🟠CVE-2025-13466
Vulnerable Library - body-parser-1.18.3.tgz
Node.js body parsing middleware
Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
- ❌ body-parser-1.18.3.tgz (Vulnerable Library)
Vulnerability Details
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
This issue is addressed in version 2.2.1.
Publish Date: Nov 24, 2025 06:29 PM
URL: CVE-2025-13466
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :