_posts/2025-12-01-security-releases.md
The Express team has released a new patch version of body-parser addressing a moderate-severity security vulnerability.
{% include admonitions/warning.html content="We recommend upgrading to the latest version of body-parser to secure your applications." %}
The following vulnerabilities have been addressed:
body-parser version 2.2.0 is vulnerable to denial of service when url encoding is used
body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of parameters. An attacker can send payloads containing thousands of parameters within the default 100KB request size limit, causing elevated CPU and memory usage. This can lead to service slowdown or partial outages under sustained malicious traffic.
Affected versions: 2.2.0
Patched version: >= 2.2.1
For more details, see GHSA-wqch-xfxh-vrr4.
We recommend upgrading to the latest version of body-parser to secure your applications.