CVE-2025-13466 Affecting opensearch-dashboards-2 package, versions <2.19.4-r2

Q: How to fix?

Upgrade Chainguard opensearch-dashboards-2 to version 2.19.4-r2 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-CHAINGUARDLATEST-OPENSEARCHDASHBOARDS2-14149131
published29 Nov 2025
disclosed24 Nov 2025

Report a new vulnerability Found a mistake?

Introduced: 24 Nov 2025

NewCVE-2025-13466 (opens in a new tab)

How to fix?

Upgrade Chainguard opensearch-dashboards-2 to version 2.19.4-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream opensearch-dashboards-2 package and not the opensearch-dashboards-2 package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic. This issue is addressed in version 2.2.1.

References

https://github.com/expressjs/body-parser/security/advisories/GHSA-wqch-xfxh-vrr4