Allocation of Resources Without Limits or Throttling Affecting body-parser package, versions <1.20.6>=2.0.0-beta.1 <2.3.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-BODYPARSER-17906397
  • published9 Jul 2026
  • disclosed9 Jul 2026
  • creditPhillip9587

Introduced: 9 Jul 2026

NewCVE-2026-12590  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade body-parser to version 1.20.6, 2.3.0 or higher.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to invalid limit option handling in normalizeOptions in lib/utils.js. An attacker can force oversized request bodies through by supplying an application configuration value for limit that parses to null, such as an unparseable string or NaN. When an app relies on limit to cap body size, the parser skips enforcement and accepts arbitrarily large payloads, driving excessive memory and CPU usage and degrading or crashing the service.

CVSS Base Scores

version 4.0
version 3.1