Input Validation Flaw in body-parser by Express.js
CVE-2026-12590

3.7LOW

Key Information:

Vendor
CVE Published:
9 July 2026

What is CVE-2026-12590?

A vulnerability in the body-parser middleware affects the handling of the limit option, allowing applications to bypass restrictions on request body sizes when an invalid limit value, such as an unparseable string or NaN, is provided. As a result, applications may inadvertently accept excessively large payloads, leading to increased memory and CPU consumption and potential denial of service. This flaw impacts versions prior to 1.20.6 and 2.3.0 of body-parser. The issue is addressed in later versions by throwing clear errors for invalid limit values, ensuring that non-finite numbers are properly managed. To mitigate the risk, it's recommended to validate limit values before configuration.

Affected Version(s)

body-parser 0 < 1.20.6

body-parser 2.0.0 < 2.3.0

body-parser 1.20.6

References

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Phillip9587
UlisesGascon
bjohansebas
.