HIGH · CVSS 7.5Disclosed 2024-09-10

CVE-2024-45590 — body-parser DoS via deeply nested URL-encoded input

A DoS vulnerability in `body-parser` allowed an attacker to exhaust event-loop time by sending a request with deeply nested `application/x-www-form-urlencoded` input.

Affects

body-parser < 1.20.3

What an attacker does

The attacker sends a POST with a form body containing many nested keys (`a[b][c][d]...`). body-parser's URL-encoded parser walks the structure synchronously; request latency spikes, blocking concurrent requests.

How to detect

Check lockfile for body-parser < 1.20.3. It is bundled inside Express, NestJS, many others.

How to fix

Upgrade Express 4.20.0+ / NestJS latest.

How Securie catches it

Securie flags vulnerable body-parser versions transitively.

References

GHSA-qwcr-r2fm-qrc7