body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
Release Notes
expressjs/body-parser (body-parser)
### [`v1.20.3`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1203--2024-09-10)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.2...1.20.3)
\===================
- deps: qs@6.13.0
- add `depth` option to customize the depth level in the parser
- IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`)
### [`v1.20.2`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1202--2023-02-21)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.1...1.20.2)
\===================
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- perf: skip value escaping when unnecessary
- deps: raw-body@2.5.2
### [`v1.20.1`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1201--2022-10-06)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.0...1.20.1)
\===================
- deps: qs@6.11.0
- perf: remove unnecessary object clone
### [`v1.20.0`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1200--2022-04-02)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.2...1.20.0)
\===================
- Fix error message for json parse whitespace in `strict`
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: depd@2.0.0
- Replace internal `eval` usage with `Function` constructor
- Use instance methods on `process` to check for listeners
- deps: http-errors@2.0.0
- deps: depd@2.0.0
- deps: statuses@2.0.1
- deps: on-finished@2.4.1
- deps: qs@6.10.3
- deps: raw-body@2.5.1
- deps: http-errors@2.0.0
### [`v1.19.2`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1192--2022-02-15)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.1...1.19.2)
\===================
- deps: bytes@3.1.2
- deps: qs@6.9.7
- Fix handling of `__proto__` keys
- deps: raw-body@2.4.3
- deps: bytes@3.1.2
### [`v1.19.1`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1191--2021-12-10)
[Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.0...1.19.1)
\===================
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: inherits@2.0.4
- deps: toidentifier@1.0.1
- deps: setprototypeof@1.2.0
- deps: qs@6.9.6
- deps: raw-body@2.4.2
- deps: bytes@3.1.1
- deps: http-errors@1.8.1
- deps: safe-buffer@5.2.1
- deps: type-is@~1.6.18
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.19.0
->1.20.3
GitHub Vulnerability Alerts
CVE-2024-45590
Impact
body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service.
Patches
this issue is patched in 1.20.3
References
Release Notes
expressjs/body-parser (body-parser)
### [`v1.20.3`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1203--2024-09-10) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.2...1.20.3) \=================== - deps: qs@6.13.0 - add `depth` option to customize the depth level in the parser - IMPORTANT: The default `depth` level for parsing URL-encoded data is now `32` (previously was `Infinity`) ### [`v1.20.2`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1202--2023-02-21) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.1...1.20.2) \=================== - Fix strict json error message on Node.js 19+ - deps: content-type@~1.0.5 - perf: skip value escaping when unnecessary - deps: raw-body@2.5.2 ### [`v1.20.1`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1201--2022-10-06) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.20.0...1.20.1) \=================== - deps: qs@6.11.0 - perf: remove unnecessary object clone ### [`v1.20.0`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1200--2022-04-02) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.2...1.20.0) \=================== - Fix error message for json parse whitespace in `strict` - Fix internal error when inflated body exceeds limit - Prevent loss of async hooks context - Prevent hanging when request already read - deps: depd@2.0.0 - Replace internal `eval` usage with `Function` constructor - Use instance methods on `process` to check for listeners - deps: http-errors@2.0.0 - deps: depd@2.0.0 - deps: statuses@2.0.1 - deps: on-finished@2.4.1 - deps: qs@6.10.3 - deps: raw-body@2.5.1 - deps: http-errors@2.0.0 ### [`v1.19.2`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1192--2022-02-15) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.1...1.19.2) \=================== - deps: bytes@3.1.2 - deps: qs@6.9.7 - Fix handling of `__proto__` keys - deps: raw-body@2.4.3 - deps: bytes@3.1.2 ### [`v1.19.1`](https://redirect.github.com/expressjs/body-parser/blob/HEAD/HISTORY.md#1191--2021-12-10) [Compare Source](https://redirect.github.com/expressjs/body-parser/compare/1.19.0...1.19.1) \=================== - deps: bytes@3.1.1 - deps: http-errors@1.8.1 - deps: inherits@2.0.4 - deps: toidentifier@1.0.1 - deps: setprototypeof@1.2.0 - deps: qs@6.9.6 - deps: raw-body@2.4.2 - deps: bytes@3.1.1 - deps: http-errors@1.8.1 - deps: safe-buffer@5.2.1 - deps: type-is@~1.6.18Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.