Input Validation Flaw in body-parser by Express.js
CVE-2026-12590
What is CVE-2026-12590?
A vulnerability in the body-parser middleware affects the handling of the limit option, allowing applications to bypass restrictions on request body sizes when an invalid limit value, such as an unparseable string or NaN, is provided. As a result, applications may inadvertently accept excessively large payloads, leading to increased memory and CPU consumption and potential denial of service. This flaw impacts versions prior to 1.20.6 and 2.3.0 of body-parser. The issue is addressed in later versions by throwing clear errors for invalid limit values, ensuring that non-finite numbers are properly managed. To mitigate the risk, it's recommended to validate limit values before configuration.
Affected Version(s)
body-parser 0 < 1.20.6
body-parser 2.0.0 < 2.3.0
body-parser 1.20.6
